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Preface 


The study of cryptography is motivated by security requirements in the real world 
and also driven forward by security requirements. Regardless of its real applica¬ 
tions, cryptography can be viewed as a branch of mathematics. All the new direc¬ 
tions of modern cryptography introduced in this book, including proxy recryptography, 
attribute-based cryptography, batch cryptography, and noncommutative cryptography, 
have arisen from the requirements. In this book, we focus on the fundamental defini¬ 
tions, precise assumptions, and rigorous security proofs of cryptographic primitives and 
related protocols, as well as how they developed from the security requirements and 
how they are applied. 

As we know, modern cryptography has evolved dramatically since the 1970s. Nowa¬ 
days, the field of cryptography encompasses much more than secure communication. It 
covers, for example, authentication, digital signature, key establishment and exchange, 
zero-knowledge, secure multiparty computation, electronic auction and election, digital 
cash, access control, etc. Modern cryptography is concerned with security problems 
that arise in a variety of distributed environments where attacks may come from either 
internal or external forces. Instead of giving a rigid and perfect definition of modern 
cryptography, we here say that, from the viewpoint of applications, modern cryptogra¬ 
phy is the science and technology that focuses on defending digital information stor¬ 
age, transportation, and distributed computation via modern communication networks. 
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These networks consist of but are not limited to wired or wireless telecommunication 
networks, satellite communication networks, broadcast and TV networks, computer net¬ 
works (including organization-wide intranet and the Internet), and all newly emerging 
networks, such as the internet of things, cloud computing, social networks, and named 
data networks. Another important difference between classic cryptography and modern 
cryptography is related to who is using it. Historically, the major users of cryptography 
have been military and intelligence organizations. Today, however, cryptography is re¬ 
quired everywhere in our lives. Security mechanisms that rely on cryptography become 
an essential ingredient of information systems. For example, cryptographic methods are 
used to enforce access control to all web sites and to prevent adversaries from extracting 
business secrets from stolen laptops. In view of increasing demands on the network se¬ 
curity, this book presents some application paradigms and general principles regarding 
new directions of modern cryptography. 

In short, modern cryptography has gone from an art that deals with secret communi¬ 
cation for the military and governments to the science and technology that help ordinary 
people to set up secure systems. This also means that cryptography becomes a more and 
more central topic within computer science. 

In fact, with the rise of new network architectures and services, the security require¬ 
ments have changed significantly, that is, from single-user communication (each side is 
of a single user) to multiuser communication (at least one side is of multiple users). The 
public-key cryptosystem proposed by Diffie and Heilman in 1976 is not sufficient to 
satisfy the security requirements in multiuser settings. Under the new environments of 
“one sender vs. multiple receivers” (one-to-many), “multiple senders vs. one receiver” 
(many-to-one), “multiple senders vs. multiple receivers” (many-to-many), it is a ten¬ 
dency to design and analyze the multiuser-oriented cryptographic algorithms. They aim 
to solve ciphertext access control problems, trust problems, efficiency problems in the 
multimessage cryptology, and challenging problems of quantum and biological com- 
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puting etc. 

In the last 10 years, I, as a founder and a director of Trusted Digital Technology 
Laboratory (TDT Lab) of Shanghai Jiao Tong University, have witnessed the progres¬ 
sively increased demands on cryptographic techniques. I am proud of having been 
engaged in cryptography research for over 30 years. The TDT Lab is one of the ear¬ 
liest groups focusing publicly on “Trusted-X Technology” in the world. The TDT 
Lab focuses on the research of cryptology and trusted digital technology. In cryptol¬ 
ogy, our research interests mainly include authorized cryptography (proxy cryptogra¬ 
phy, proxy re-cryptography), attribute-based cryptography (identity-based cryptogra¬ 
phy, spatial cryptography, functional cryptography), post-quantum cryptography (non- 
commutative cryptography, lattice-based cryptography), collaboration cryptography 
(aggregated cryptography, batch cryptography), biologic cryptography (DNA cryptog¬ 
raphy, biometric feature based cryptography), commitment and zero-knowledge proof, 
as well as cryptanalysis. In trusted digital technology, we mainly study trusted com¬ 
puting, trusted networks, secure storage/access, secure e-commerce/e-government, key 
management, and so on. The TDT Lab tries to pursue original innovation in fundamen¬ 
tal research, acquire intellectual properties in key technology, and promote industrial 
development inspired by our academic results. During these years, I have instructed 2 
post-doctorals, supervised 19 Ph.D.s and 50 masters, and obtained a number of interest¬ 
ing results (along with my students and colleagues). This book can be viewed as a part 
of the collection of these results. 


Audience 

The goal of this book is to be of interest to cryptographers and practitioners of net¬ 
work security. In particular, it is aimed at the following readers: For students who 
complete first degree courses in computer/information science or applied mathemat- 
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ics and plan to pursue a degree or career in network security, this book may serve as 
an advanced course in applied cryptography. Fresh Ph.D. candidates beginning their 
research in cryptography or information/network security would appreciate the new di¬ 
rections introduced in this book. For security researchers and engineers who are in¬ 
terested in the cloud computing security, e-health security, vehicular ad-hoc network 
security, RFID security, delay tolerant network security, network coding security, and 
other wired/wireless network security, and who are responsible for designing and de¬ 
veloping secure network systems, this book may help them have a solid understanding 
of the security principles and correctly deploy the applications. This book is also de¬ 
signed to serve as a reference for graduate courses in cryptography, computer sciences, 
and mathematics, or as a general introduction suitable for people who want to learn 
cryptography and security themselves. 
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Chapter 1 


Introduction 


In this chapter, we briefly review some security problems arisen in the network envi¬ 
ronments and present the main idea about how to use modern cryptographic techniques 
to solve these problems. We want to emphasize that cryptography is the building block 
of most solutions to security problems. 

1.1 Trust Problem 

1.1.1 Trusted Domains Transfer Problem 

We first discuss what the trusted domains transfer problem is. Suppose Alice and 
Bob belong to two trusted domains CAi and CA 2 , respectively, and they want to build 
trust relationship. In the public key infrastructure (PKI), CAi and CA 2 are two certifi¬ 
cate authorities. Every user in a trusted domain has a public key certificate, which is 
a signature signed by the certificate authority to bind a public key with an identity. A 
certificate can be used to verify that a public key belongs to an individual. 

However, Alice can only verify and trust the certificates from the certificate author¬ 
ity CAi, and so can Bob from the certificate authority CA 2 . In the scenario as shown in 
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Figure 1.1, how to build trust relationship between Alice in the trusted domain CAi and 
Bob in CA 2 is a practical problem. 



Figure 1.1: Trusted Domains Transfer Problem 


Solution: The main idea to solve this problem is to set a transfer server, called proxy 
that is allowed to transform certificates from CAi to CA 2 , as shown in Figure 1.2. How¬ 
ever, the proxy cannot generate new certificates in CAi or CA 2 by itself. We may require 
extra abilities of the proxy in some concrete applications. 



Figure 1.2: A Solution to Trusted Domains Transfer Problem 

Sometimes it is desired that certificates in CAi can be transformed into ones in 
CA 2 , while certificates in CA 2 cannot be transformed into ones in CAi, as shown in the 
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Figure 1.3. This requires that the proxy can only do the unidirectional transformation. 
This new ability of proxy required in this case is authorized only by CA 2 . If the ability 
of proxy is authorized by both CAi and CA 2 , then the proxy could do the bidirectional 
transformation. 



CAi's Certificate CA2's Certificate 


Figure 1.3: Unidirectional Transfer 

On the other hand, the requirements in the trusted domains transfer problem could 
be further extended. As shown in Figure 1.4, certificates in CAi can be transformed into 
the ones in CA 2 via Proxy 1 , and further transformed into the ones in CA 3 via Proxy 2 . 
If the process can continue multiple times, the method of trusted domains’ transfer is 
multiuse. Otherwise, it is single-use. 

Fortunately, we have a new cryptographic primitive called proxy re-signature [29] 
to solve the above problem. We will give a comprehensive introduction of proxy re¬ 
signature in Chapter 2 and discuss more applications of it in Chapter 6 . 

1.1.2 Trusted Server Problem 

Cloud computing is drawing more and more attention from the information and 
communication technology community, since it can significantly reduce the costs of 
hardware and software resources in computing infrastructure. 

In cloud computing, the cloud storage server is responsible for storing users’ data 
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CAl's Certificate CA2's Certificate CA 3 's Certificate 


Figure 1.4: Multiuse Transfer. 

including the sensitive data, and the cloud access control server is responsible for exert¬ 
ing control over who can access the data stored in the cloud storage server. It is usually 
required that the cloud access control server is fully trusted. 

However, this requirement cannot be met in practice for two reasons. One is that the 
providerfs) of cloud access control service cannot be assumed to be fully trusted, be¬ 
cause that he/she could become corrupted in some situations. The other is that intruders 
could break the cloud access control server even if the provider(s) is absolutely trusted. 
Hence, trusted server problem in cloud computing should be solved to put forward the 
development of cloud computing. 

A possible solution is to store the encrypted plaintexts (i.e., ciphertexts) in the cloud 
storage server. If the ciphertexts are merely used by the encryptor himself/herself, the 
trusted server problem is easily solved. When the ciphertexts need to be shared by oth¬ 
ers and the access control server has no right to perform decryption, it is a challenging 
problem. Under this situation, we can conceive a following solution: let the encryptor 
authorize the access control server the right to transform the ciphertexts so that the del¬ 
egated users can decrypt the resulting ciphertexts, but the access control server cannot 
decrypt the ciphertexts. This paradigm is shown in Figure 1.5. 

The above conceived solution could be implemented if the access control server un- 
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Figure 1.5: A Solution to Trusted Server Problem 

der the authorization of the encryptor can transform the ciphertexts stored in the cloud 
storage server into a new form with the same plaintexts that can only be decrypted 
by the designated receivers. If we regard the access control server, encryptor, desig¬ 
nated receivers, and authorization messages as the proxy, delegator, delegatees, and 
re-encryption keys, respectively, the above solution becomes a particular case of proxy 
re-encryption. 

Proxy re-encryption was proposed by Blaze et al. [29] and has many applications. 
According to the concrete applications, proxy re-encryption should satisfy other prop¬ 
erties. We will discuss them in Chapters 2 and 6. 


1.2 Ciphertext Access Control Problem 

Assume that data owner intends to store a private message that is accessed by a 
specific set of users in a storage server. The current solution is that the data owner 
stores the data in plaintext form in the storage server, and the user’s access rights are 
specified by access control lists that are created by the data owner and performed by the 
access control server as shown in Figure 1.6. The users specified by the access control 
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lists and verified by the access control server, can access the message. However, as 
mentioned in the above section, in practice, trust and security issues of the servers are 
always serious. 



Computer science, 
admissions 

Figure 1.6: Access Control Model 

A trivial method would be to store the data in ciphertext form in the servers. How¬ 
ever current encryption systems cannot allow the ciphertext to be efficiently shared 
among a group of users. It becomes urgent to develop an efficient and flexible method 
to share data directly based on ciphertexts, which includes the access control policy. 
Fortunately, Bethencourt et al. [27] proposed such a cryptographic primitive called 
ciphertext-policy attribute-based encryption (CP-ABE), which initiates a new direction 
in solving the ciphertext access control problem. 

The concept of attribute-based encryption (ABE) was first proposed by Goyal et 
al. [128] in 2005. They also constructed a concrete scheme called key-policy attribute- 
based encryption (KP-ABE). In KP-ABE as shown in Figure 1.7, each ciphertext is 
labeled by the encryptor with a set of descriptive attributes, and each private key is 
associated with an access structure that specifies which type of ciphertexts the key can 
decrypt. While in CP-ABE as shown in Figure 1.8, each private key is associated with 
a set of attributes and each ciphertext is associated with an access structure. 

For example in Figure 1.8, the access structure of ciphertext File 1 is “{(Computer 
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Figure 1.7: Key-Policy ABE 



Figure 1.8: Ciphertext-Policy ABE 
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science) AND (Admissions)} OR (Bob)” representing that the qualified user should 
be an enrolled student in department of computer science or Bob. As Jack’s attribute 
set {Jack, Computer science. Admissions} satisfies the ciphertext access structure, he 
can decrypt File 1 successfully by using his private key. Moreover, he can not decrypt 
ciphertext File 2 since his attribute set does not satisfy the access structure “{(Computer 
science) OR (Admissions)} AND (Bob)” of File 2. 

Recall the scenario discussed in Section 1.1.2, where the proxy can merely trans¬ 
form a ciphertext into another one that can only be decrypted by a designated user. But 
in practice, it is more usually required that the proxy is able to transform a ciphertext 
into another one that can be decrypted by a group of designated users. We propose a 
new concept of attribute-based proxy re-encryption [191], called ABPRE, which is a 
more powerful cryptographic primitive that can settle this problem efficiently. 

To better understand the concept of ABPRE, we demonstrate an application sce¬ 
nario of personal information system in a university. In this system, there are some 
confidential records of grades of every student. These records are encrypted into a ci¬ 
phertext under the access structure “((AGE > 40) AND (Tenure)).” Professors who are 
older than 40 and have a tenure position are qualified to retrieve the confidential records 
by using their own different private keys. Nevertheless, when these professors are on 
vacation, it is necessary to find some trustworthy delegatees who are able to decrypt the 
ciphertext in time. Therefore, ABPRE allows a qualified professor to authorize a proxy 
(administrator) who can transform a ciphertext into another ciphertext encrypted with a 
different access structure so that the corresponding delegatees can retrieve the records. 
For example, the delegated access structure can be defined by “(Secretary) AND (EXP 
> 2)” that represents secretaries with at least 2 years working experience. Therefore, 
even if no qualified professor is available, some experienced secretaries can open the 
confidential records with the help of the authorized administrator. 

A more general relationship between users and ciphertexts is shown in Figure 1.9. 
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Figure 1.9: Attribute Based Proxy Re-encryption with Delegating Capabilities 

Suppose there are three users and three ciphertext sets in this system, where user U\ is 
able to decrypt any ciphertext in sets Ci and C 2 encrypted under access structures AS\ 
and AS‘ 2 , while users U-> and U 3 are able to decrypt ciphertexts in C 3 corresponding 
with AS' 3 . Then, U\ authorizes a proxy with a re-key that can be used to transform the 
ciphertext of Ci and C 2 into that of C3. In this way, even if U-\ is offline, U 2 and U 3 
could still retrieve the information encrypted in C\ and C 2 with the help of U\ ’s proxy. 


1.3 Efficiency Problems in Multi-Message Cryptology 

With the development of networks, there are many scenarios related to multiple 
requests processing as shown in Figure 1.10. The server receives multiple encrypted 
requests from different clients using the server’s public key. In this scenario, is it neces¬ 
sary for the server to decrypt all the requests one by one? Generally, it is. But it is very 
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Figure 1.10: Multiple Requests Processing 


inefficient when the number of requests becomes large. A similar scenario appears in 
the key exchange among the many clients and the central server. 

Another scenario is that a famous star signs his books or discs for selling as shown 
in Figure 1.11. He has to meet a lot of his fans and sign his name many times, which 
leaves him exhausted. Digital signature continuously faces similar scenarios in the e- 
government or e-business. In these scenarios, is it necessary for them to sign one by 
one? Generally, they can sign only one by one, which results in low efficiency when the 
number of files to be signed is large. 

A similar scenario exists in the current broadcast/multicast authentication, where 
the signatures need to be verified one by one. In this case, is it necessary to verify in 
such an inefficient way? Generally, it is. However, verifiers become exhausted due to 
excessive signature verification. The situation goes even worse in the case of the energy- 
constrained networks such as wireless sensor networks and mobile ad hoc networks. 


Taking into account the above scenarios, it has become critical to introduce a new 



1.4. THE CHALLENGES FROM QUANTUM AND BIOLOGICAL COMPUTING! 1 



famous star fans 

Figure 1.11: Signing Multiple Files 


direction of modern cryptography—batch cryptography, which includes batch decryp¬ 
tion, batch key agreement, and batch verification to solve the multi-message processing 
and their security and efficiency problems in real world. Readers can refer to Chapters 4 
and 6 for more details. 


1.4 The Challenges from Quantum and Biological Com¬ 
puting 

In 1994, Shor [257] proposed a polynomial time algorithm for solving integer factor¬ 
ization problem 1 and the discrete logarithm problem using quantum computers. Mean¬ 
while, most of modern cryptographic schemes are based on the hardness of integer 
factorization problem and discrete logarithm problem. If quantum computers become 
available, the modern cryptography based on the above two problems should be col¬ 
lapsed. 

Biological computing, which refers to DNA computing [2] at present, is considered 
with super computing capability possibly more than quantum computing. If a biological 
computer appears, we believe that it will bring the same challenges to modern cryptog- 

1 For the detail remarks of Shor's algorithm, please refer the footnote on page 234 of this book. 
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raphy. 

Therefore, what is the future cryptography? To answer this question, we suggest 
that one gets an insight into the history of cryptography. 

Historically, stream cipher, block cipher, and related work use the same key for both 
encryption and decryption, which form the symmetric cryptography. The milestones 
in symmetric cryptography are communication theory of secrecy systems proposed by 
Shannon [243,244] in 1949 and data encryption standard (DES) [222] in 1975. 

In 1976, Diffie and Heilman [99] proposed the new direction of cryptography — 
asymmetric encryption in the network environment. Two different keys are required in 
their work: one is public for encryption and the other is private for decryption. 

Although they did not propose any concrete encryption schemes, it paved the way 
for asymmetric encryption. After that, many researchers have proposed some concrete 
schemes such as RSA [233] based on integer factorization problem and ElGamal [107] 
based on discrete logarithm problem. Following this method, researchers have obtained 
many fruitful results, which form the asymmetric cryptography. 

Both the symmetric cryptography and asymmetric cryptography are based on com¬ 
mutative algebraic structures. We call these kinds of cryptography commutative cryp¬ 
tography. As we have seen the transition of cryptography from “symmetric” to “asym¬ 
metric,” the next transition of cryptography might be from “commutative” to “non- 
commutative.” We refer to the cryptography based on the noncommutative algebraic 
structures as noncommutative cryptography. 

Some computing hard problems based on noncommutative algebraic structures 
might be essential to resist quantum computing or biological computing. Thus, one pos¬ 
sible direction of modern cryptography is to securely bridge commutative cryptography 
to noncommutative cryptography. Another possible direction is to explore noncommu¬ 
tative algebraic structures from the quantum theory and biological technology. We will 
discuss this detailedly in Chapters 5 and 6. 
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1.5 Organization 

The theme of this book is to introduce some new directions of modern cryptography. 
The main idea we want to express is: cryptography is brought into birth and driven by 
application requirements. We will cover four kinds of modern cryptography: proxy re¬ 
cryptography, attribute-based cryptography, batch cryptography, and noncommutative 
cryptography. This book consists of the following Chapters. Chapter 1 introduces the 
background and motivation to write this book. Chapters 2, 3, 4, and 5, respectively, 
introduce proxy re-cryptography, attribute-based cryptography, batch cryptography, and 
noncommutative cryptography, including the fundamental definitions, security models, 
concrete schemes and security proof. In Chapter 6, we present some applications and 
challenging problems related to the above cryptography. 
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Chapter 2 


Proxy Re-Cryptography 

2.1 Introduction 

Proxy re-cryptography can be used to solve the trust problem in the scenarios men¬ 
tioned in Chapter 1. Besides, there are many promising applications. 

Many companies have developed digital rights management (DRM) technologies, 
which can prevent illegal redistribution of digital content. With DRM systems, the dig¬ 
ital content can only be played in a specified device (regime). For example, a song 
playable in device (regime) A cannot be played in device (regime) B. However, it is 
reported that 86% of the consumers prefer to pay twice the price for a song that can 
run on any device than that with one single device [155]. Most of current interoperabil¬ 
ity architectures require to change the existing DRM systems significantly [176]; this 
modification cannot be adopted due to business reasons. At ACM DRM 2006, Taban 
et al. [271] proposed a new interoperability architecture, which does not change the 
existing DRM systems too much but maintains the DRM systems’ security. In their 
architecture, only a new module called domain interoperability manager (DIM) is in¬ 
troduced. DIM applies a single signature scheme and a single public key encryption 
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scheme that can transform licences and content in regime A into ones in regime B, 
but it cannot generate valid licenses or content either in regime A or in regime B. It 
is easy to see that the traditional signature and public key encryption cannot support 
transformation, which, however, can be easily implemented by proxy re-cryptography. 

In this chapter, we will give a comprehensive introduction of proxy re-cryptography, 
especially the security models of proxy re-cryptography. Furthermore, we introduce one 
proxy re-signature scheme and one proxy re-encryption scheme for illustration. 

2.2 Proxy Re-Signature 

Proxy re-signature (PRS), introduced by Blaze et al. [29] at Eurocrypt 1998, and 
formalized by Ateniese and Hohenberger [11] at ACM CCS 2005, allows a semi-trusted 
proxy to transform a delegatee’s (Alice) signature into a delegator’s (Bob) signature on 
the same message by using some additional information (a.k.a. re-signature key). The 
proxy, however, cannot generate arbitrary signatures on behalf of either the delegatee or 
the delegator. 

2.2.1 Properties and Definition 

Before giving the formal definition of PRS, we would like to give the desired prop¬ 
erties of PRS [11], 

• Unidirectional: In this scheme, a re-signature key allows the proxy to transform 
Alice’s signature to Bob’s but not vice versa. On the other hand, in a bidirectional 
scheme, the re-signature key allows the proxy to transform Alice’s signature to 
Bob’s as well as Bob’s signature to Alice’s. 

• Multiuse: In a multiuse scheme, a transformed signature can be re-transformed 
again by a proxy. While in a single-use scheme, a proxy can transform only the 
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signatures not yet transformed. 

• Private proxy: A proxy can keep the re-signature key as a secret in a private 
proxy scheme, but anyone can recompute the re-signature key by observing the 
re-signature process passively in a public proxy scheme. 

• Transparent: In a transparent scheme, users may not even know the existence of 
a proxy. 

• Key-optimal: In a key-optimal scheme, a user is required to protect and store only 
a small constant amount of secrets no matter how many signature delegations the 
user gives or accepts. 

• Noninteractive: The delegatee is not required to participate in the delegation pro¬ 
cess. Bidirectional PRS cannot be noninteractive, since a delegator is also a del¬ 
egatee. 

• Non-transitive: A re-signature key cannot be generated from two other re¬ 
signature keys. For example, the re-signature key from Alice to Bob cannot be 
generated from the re-signature keys from Alice to Tina and Tina to Bob. 

• Temporary: A re-signing right is temporary. This can be done by either revoking 
the right [11] or expiring the right. 

• Collusion-resistant: The delegator can delegate the signing rights to the delegatee 
via the proxy, while keeping decryption rights for the same public key. 

Now we give the formal definition of PRS. 

Definition 2.2.1 (Proxy Re-Signature). A PRS scheme consists of the following five 
probabilistic polynomial time (p.p.t.) algorithms: 

• KeyGen: It takes as input the security parameter A, and returns a verification key 
pk and a signing key sk. 
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• ReKeyGen: It takes as input delegatee Alice’s key pair (pkA, sIca) and delegator 

Bob’s key pair (pks, sks), and returns a re-signature key rkA-yB for the proxy. 
If the PRS scheme is unidirectional, the delegatee’s signing key is not included 
in the input. If the PRS is bidirectional, the proxy can easily obtain rks^A from 
rkA^B- In many bidirectional schemes [11,29,250], = 1/rkB^A- 

• Sign: It takes as input a signing key sk, a positive integer £, and a message to 
from the message space, and returns a signature a at level £. If the PRS scheme 
is single-use, then £ £ {1,2}. 

• ReSign: It takes as input a re-signature key rkA-^B and a signature a a on a mes¬ 
sage to under pkA at level £, and returns the signature as on the same message 
to under pks at level £+1 if Verify (pkA, to, &a,£) = 1, or reject otherwise. 
If the PRS scheme is single-use, then 1=1. 

• Verify: It takes as input a verification key pk, a message to from the message 
space, a signature cr, and a positive integer i, and returns 1 if rr is a valid signature 
under pk at level t or 0 otherwise. 

Correctness. The following property must be satisfied for the correctness of a PRS 
scheme: For any message to in the message space and any two key pairs (pkA, sfc^) 
and (pkB,sks), let rkA-^B ReKeyGen (pkA, skA,pkB, sks), the following two 
equalities must hold: 

Verify (pk A ,m.,a A ,£) = 1, 

where a a is a signature on message to under pkA at level £ from Sign. If the PRS 
scheme is single-use, then £ £ {1, 2}, or £ > 1 otherwise. 


Verify (pks,m, ReSigia.(rkA^B,pkA, to, a' A , £ — 1), £) = 1. 
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If the PRS scheme is single-use, a' A is a signature on message m under pk A from Sign 
with £ = 2; if it is multiuse, a' A could be a signature on message m under pkA from 
Sign with l = 2 or from ReSign with £ > 2. 

Remark 2.2.2 (Two Types of Signatures). In all existing unidirectional PRS schemes, a 
signature manifests in two types: the owner-type (i.e., the first-level defined in [11], and 
£ = 1 in this chapter) and the nonowner-type (i.e., the second-level signatures [11], and 
£ > 1 in this chapter). An owner-type signature can be computed only by the owner of 
the signing key via Sign, while a nonowner-type signature can be computed not only by 
the owner of the signing key via Sign, but also by collaboration between his/her proxy 
and delegatee via ReSign. 

If there is only one signature type in a PRS scheme, the parameter £ in all algorithms 
can be omitted. 

2.2.2 Related Work 

Though PRS has many applications as we mentioned in Chapter 1, it has a rather 
simple history. The first PRS scheme, which is multiuse, public proxy and bidirectional, 
was proposed by Blaze et al. [29] at Eurocrypt 1998. However, there was no follow-up 
until the work published by Ateniese and Hohenberger [11] at ACM CCS 2005. One 
of the reasons is that the definition of proxy re-signatures [29] was informal and could 
be easily confused with other signature variations. Ateniese and Hohenberger [11] first 
formalized the definition of security for PRS, referred as the AH model in this chapter, 
and then proposed three PRS schemes with security proofs. The first one is multiuse, 
private proxy and bidirectional; the second one is single-use, public proxy and unidirec¬ 
tional; and the third one is single-use, private proxy and unidirectional. Later, by using 
Waters’ identity-based signature [289], we [250] proposed a multiuse, private proxy 
and bidirectional PRS scheme, and Chow and Phan [85] proposed a single-use, private 
proxy and unidirectional PRS scheme. Libert and Vergnaud [193] proposed a multiuse, 
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private proxy and unidirectional scheme. All the PRS schemes [11,85,193,250] are 
proven secure in the AH model. 

Recently, we [251] found that the AH model is suitable for almost all proxy re¬ 
signatures except the private proxy and unidirectional PRS. To deal with this problem, 
we [251] proposed an improvement of the AH model (AH + model for short). Fortunately, 
the previous schemes proven secure in the AH model can still be proven secure in the 
AH + model. Following this, we [252] further extended the AH + model to the ID-based 
setting, and proposed a unidirectional, single-use, private proxy, and ID-based PRS. 

Some PRS schemes in terms of the satisfied properties are summarized in Table 2.1. 


Table 2.1: Properties of some PRS schemes 


Property" 

PI 

P2 

P3 

P4 

P5 

P6 

P7 

P8 

P9 

BBS [29] 

X 

/ 

X 

/ 

/ 

X 

X 

/ 

X 

AH05a [11] 

X 

/ 

/ 

/ 

/ 

X 

X 

/ 

X 

AH05b [11] 

/ 

X 

X 

/ 

/ 

/ 

/ 

/ 

/ 

AH05c [11] 

/ 

X 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

SCWL07a [250] 

X 

/ 

/ 

/ 

/ 

X 

X 

/ 

X 

SCWL07b [250] 

X 

/ 

/ 

/ 

/ 

X 

X 

/ 

X 

CP08 [85] 

/ 

X 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

LV08 [193] 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

SWLX11 [252] 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

/ 


a PI,- • • ,P9 denote unidirectional, multiuse, private proxy, transparent, key-optimal, non-transitive, tem¬ 
porary, and collusion-resistant, respectively. 


In the rest of this section, we first introduce the security model of PRS—the 
AH model. Then we introduce the multiuse, private proxy and bidirectional PRS 
scheme [250] proposed at Indocrypt 2007. In what follows, we show the incompleteness 
of the AH model, and give an improvement, AH + model [251 ]. 


2.2.3 Security Model: The AH Model 

The AH model mainly deals with the unforgeability of signatures; it contains external 
security and internal security. These two parts contain four security games between an 
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adversary A and a challenger C. Before the games start, the adversary should decide 
which users (delegatee/delegator) are to be corrupted. Furthermore, all the verification 
keys in the games are generated by the challenger. If the adversary obtains the signing 
key of a user via O s k , then the user is declared corrupted. We assume that the adversary 
never invokes a query twice. If so, the challenger simply returns the previous value. 

The following oracles could be queried in the four games: 

• Verification key query O v p- : On receiving an index i from the adversary A, the 
challenger C responds by running KeyGen(l A ) to get a key pair ( phi, ski), and 
forwards the verification key phi to the adversary. Finally, the challenger records 
(phi, ski ) in Table T\, which is initialized as empty and used to record the key 
pairs of users. In the following oracles, ski denotes as the signing key corre¬ 
sponding to the verification key pk,. 

• Signing key query O s k : On receiving a verification key pki from the adversary 
A, the challenger C responds with ski which is the associated value with pki in 
Table 7j : , if pki is corrupted; otherwise the challenger C responds with reject. 

• Re-signature key query O r k : On receiving two verification keys pki, pkj (pki 7 ^ 
pkj) from the adversary A, the challenger C responds with ReKeyGen(pfc,;, ski, 
pkj, skj). Note that for bidirectional PRS, we consider queries with (pki,pkj) 
and (pkj,pki) are identical. 

• Signature query O s : On receiving a verification key pki and a message trip from 
the adversary A, the challenger C responds with Sign(sfcj, to, 1). 

• Re-signature query O rs : On receiving two verification keys pki,pkj (pki ^ pkj), 
a message to,, and a signature a, at level t from the adversary A, the challenger 
C responds with ReSign(ReKeyGen(p/cj, ski,pkj, skj), pki, uii, ai,£). 


Now, we introduce the four security games as follows: 
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External Security: This security protects a user from outside adversaries other than 
the proxy and any delegation parties. The game goes as follows: 

• Queries: The adversary A can make queries to oracles O p k, O rs , and O s adap¬ 
tively. 

• Forgery: The adversary A outputs a signature er* on message m* on behalf of 
pk* at level £*. The adversary is declared the winner of the game, if all of the 
following requirements are satisfied: 

- Verify (pk* ,m* ,a* ,£*) = 1; 

- The adversary A never obtains a signature on a message m* under the ver¬ 
ification key pk* by querying O s with ( pk*,m *), or by querying O rs with 

(• ,pk*,m 

A PRS scheme has external security if and only if for security parameter A and all 
p.p.t. algorithms A, Pr[A wins] is negligible. 

Internal Security: This security protects a user from inside adversaries who can be 
any parties, i.e., the proxy, the delegatee, or the delegator, in a PRS scheme. It can be 
classified into the following three types: 

Limited Proxy : In this case, only the proxy is a potential adversary A. We must be 
sure that the proxy cannot produce signatures on behalf of either the delegator or the 
delegatee except the signatures produced by the delegatee and delegated to the proxy to 
re-sign. The game goes as follows: 

• Queries: The adversary A can make queries to oracles O p k. O r k, O rs , and O s 
adaptively. 

• Forgery: The adversary A outputs a signature er* on message m* on behalf of 
pk* at level £*. The adversary is declared the winner of the game, if all of the 
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following requirements are satisfied: 

- Verif j(pk*,m*, a*,£*) = 1; 

- The adversary A never obtains a signature on message m* under the veri¬ 
fication key pk* by querying O s with ( pk*,m *), or by querying O rs with 

(-,pk*,m*,-,-); 

- If the PRS scheme is single-use, and the adversary A obtains a re-signature 
key from pki to pk* directly from O r k , then the adversary A never obtains 
a signature on message m* under the verification key pki by querying O s 
with (pki, m*)\ 

- If the PRS scheme is multiuse, and the adversary A obtains re-signature 
keys corresponding to (pk^ ,pki 2 ), (pki 2 ,pki 3 ), ..., (pki t ,pk*), then the 
adversary A never obtains a signature on message to* under the verification 
key pki (i € {ii ,..., it}) by querying O s with (pki, m *), or by querying 
O rs with (*, pki, to*, •). 

A PRS scheme has limited proxy security if and only if for security parameter A and 
all p.p.t. algorithms A, Pr[_4 wins] is negligible. 

Delegatee Security. In this case, the proxy and delegator may collude with each other. 
This security guarantees that their collusion cannot produce any signatures on behalf of 
the delegatee. 

The game goes as follows: 

• Queries: The adversary A can make queries to oracles O p k, O s k, O r k, O rs , and 
O s adaptively. 

• Forgery: The adversary A outputs a signature cr* on message m* on behalf of 
pk* at level £*. The adversary is declared the winner of the game, if all of the 
following requirements are satisfied: 
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- pk* is uncorrupted; 

- pk* has not been a delegator in this game; 

- Verify(pfc*, to*, a*,£*) = 1; 

- The adversary A never obtains a signature on message to* under the verifi¬ 
cation key pk* by querying O s with ( pk*,m*). 

A PRS scheme has delegatee security if and only if for security parameter A and all 
p.p.t. algorithms A, Pr[*4 wins] is negligible. 

Delegator Security. In this case, the proxy and delegatee may collude with each other. 
This security guarantees that their collusion cannot produce any owner-type signatures 
on behalf of the delegator. 

The game goes as follows: 

• Queries: The adversary A can make queries to oracles O p k, O s k, O r k. O rs , and 
O s adaptively. 

• Forgery: The adversary A outputs a signature er* on message to* on behalf of 
pk* at the first level. The adversary is declared the winner of the game, if all of 
the following requirements are satisfied: 

- pk* is uncorrupted; 

- pk* has not been a delegatee in this game; 

- Verify(pfc*, to*, a*, 1) = 1. 

A PRS scheme has delegator security if and only if for security parameter A and all 
p.p.t. algorithms A, Pr[^4 wins] is negligible. 

Remark 2.2.3. Since a delegator is also a delegatee in bidirectional PRS, we do not con¬ 
sider the delegatee security and delegator security for bidirectional PRS with only one 
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signature type. While we have a weaker security for protecting the delegatee (delegator) 
in this kind of PRS, which is collusion resistance. It guarantees that the signing key of 
a delegatee (delegator) cannot be revealed by the collusion of the delegator (delegatee) 
and the proxy. On the other hand, it is easy to show that the delegatee security and 
delegator security imply the collusion resistance. In particular, if the adversary cannot 
generate a valid forgery, it definitely cannot obtain the corresponding signing key. 

2.2.4 Multiuse, Private Proxy and Bidirectional Scheme 

In this section, we [250] introduce the multiuse, private proxy and bidirectional 
PRS scheme (denoted as S m b) proposed at Indocrypt 2007. The security is proved 
in the standard model based on the computational Diffie-Hellman (CDH) assumption, 
that is, it is hard to compute g xy given (g,g x ,g y ) where g is a random element in a 
cryptographic group G with a prime order q , and x, y are random numbers in Z*. 

The system parameter of scheme S m b is (G, G t, <7, g , < 72 , e, fT w ), where G and G t 
are bilinear groups with prime order q\ g and g > are two random elements of G; e is an 
admissible pairing, e : G x G —> Gt: and fT w is a Waters’ function [289], iT w (?n) = 
v! ■ n,ew where m is an n m -bit message, u', ui,v, 2 , ..., u Urn are random elements 
in G, U C {1,..., n m } is the set of indices i such that m[i ] = 1, and m{i] is the i-th bit 
of m. 

• KeyGen: It outputs the key pair (pk, sk) = ( g a , a), where a is a random number 
in Z*. 

• ReKeyGen: On input two signing keys skA = a and sks = b, output the re¬ 
signature key rkA-^B — bja mod q. It is easy to see that rks^A = 1 /rkA^B = 
a/b mod q. 

(Note that the re-signature key can be obtained by the following method [11]: (1) 
the proxy sends a random number r € Z* to the delegatee Alice, (2) then Alice 
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sends r/a to the delegator Bob, (3) Bob sends rb/a to the proxy, (4) finally, the 
proxy obtains b/a. The communications between any two entities are via private 
and authenticated channels.) 

• Sign: On input a signing key sk = a and an n m -bit message to, output the 
signature cr = (oi, cr 2 ) = (c/f • H v {rn) r ,g r ), where r is chosen randomly from 

Z*. 

• ReSign: On input a re-signature key a verification key pkA, 

a signature a a = (cta,i, 0 , 4 , 2 ), and an n m -bit message to, check that 
Verify (pkA,m, &a) = L If &A is invalid, output reject; otherwise, choose 
a random number v £ Z* and output cr b = (caY • H„(m) v , a r Jf • 9 V )- 

Note that we have: 

B • H v {m)\ a r A k ^ B ■ g v ) = (.g\ • JT„(to)’' 6 /“F w (to)", g rb / a g v ) 

= (.g b 2 H w (mY',g r ') 

where r' = rb/a + v mod q. 

• Verify: On input a verification key pk , an n m -bit message to, and a signature 
cr = ( 01 , 02 ), output 1, if e(pfc,g 2 )e(cT 2 , H v (m)) = e(cr 1; g), or 0 otherwise. 

Theorem 2.2.4. In the standard model, the bidirectional PRS scheme S m b is correct 
and existentially unforgeable under the CDH assumption in G. 

Proof. The correctness property is easily observable. 

To prepare the simulation, simulator B first sets t m = 2 (q s + q rs ), and randomly 
chooses a number k rn , such that 0 < k rn < n m , and l rn (n rn + 1) < q. B then chooses 
n rn + 1 random numbers x', x l (i = 1,..., n m ) from Z^ m . Lastly, B chooses n m + 1 
random numbers y', yfi = 1,..., n m ) from Z*. q s and q rs are the number of queries 
to O s and O rs , respectively. 
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To make expression simpler, we use the following notations: 

F(m) = x' + ^2 Xi - imkm and J(m) = y' + ^ yi- 
i&A i£_lA 

Now, B sets the public parameters: 

92=9 , u = g 2 m m g y , tt, = g 2 'g m (1 < i < n m ). 

Note that for any message m, there exists the following equality: 

H v (m) = u l l[u i =g^ m) g J ^\ 
ieu 

In the following, we focus on external security and internal security (limited proxy) 
of scheme S m b. 

External Security: 

• Queries: B builds the following oracles: 

- O p k : On input index i, B chooses a random Xi £ Z*, and guess whether 
phi = pk *. If it is, it outputs phi = (g a ) Xi ; otherwise, it outputs phi = g Xi . 
Finally, B records ( phi , a;*) in Table 71-. 

- O s : On input ( pki , m), B obtains ( pki , Xi) from Table T^. If phi ^ pk*, it 
performs Sign with x r \ otherwise, it performs as follows. 

* If F(m) ^ 0 mod q, B picks a random r £ Z* and computes the 
signature as, 

cr = ((( £ ,a)-J(m)/F(m)( £f J ( m) 5 i ; ’ ( m)) T .)x i) (( 5 a)-l/F(m) fl r)x i ) 
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For r = (r — a/F(m)) ■ Xi, we have that 


((g a )- J (- m )/ F ( m ) ( g J( - m ' > g2 < ' m ' > ) r ) Xi 

= (g2{92 {m) 9 J{rn) )~ a,F{m \9 J(m) 92 {m) ) r ) Xi 

= (<?2 (92'^ g J( ~ m '>) r ~ a / F ^ m ')) Xi 

= gT iH *{ m ) r 4 


and 

((g a )~ 1 / F ( m ' 1 g r ) Xi = ( g r ~ a /F(m)^Xi 

= g\ 

which shows that cr has the correct signature as in the actual scheme. 

* If F(m ) = 0 mod q, B is unable to compute the signature a and out¬ 
puts failure. 

- O rs : On input ( pki,pkj,m,a ). If Verify(pfc, ; , m,a) ^ 1, B outputs 
reject. Otherwise, B queries O s with ( pkj,m ) and returns the resulting 
value. 

• Forgery: If B does not output failure in any query above, A will, with proba¬ 
bility at least e, return a message m* and a valid forgery a* = (cr*, cr|) on behalf 
of pk*. It is easy to see that B guesses the right pk* with l/q p k at least, where 
q p k is the number of queries to O p k■ If F(m*) ^ 0 mod q , B outputs failure. 
Otherwise, the forgery must be of the form, for some r* £ Z*, 

a* = {g abx *{ 92 {rn * ) 9 J(rn * ) ) r \g r ‘) 

_ ^gdbx*+J(m*)r* g r * ^ 

= 

To solve the CDH instance, B outputs ((cr*) • (av)) - ^" 1 *)) 1 ^* = g ab , where x* 
is the corresponding value in Table Tk with pk*. 



2.2. PROXY RE-SIGNATURE 


29 


At last, we need to bound the probability that B completes the simulation without 
outputting failure. We require that all signature and re-signature queries on a mes¬ 
sage m along with pk* have F(m) ^ 0 mod q , and that F(m*) = 0 mod q. Let 
mi,..., rn qQ be the messages appearing in signature or re-signature queries not involv¬ 
ing the message to*. Clearly, <?q < q s + q r s■ We define the events E i: E[, and E* 
as: 

Ei : F(rrii) ^ 0 mod q , E[ : F(toj) ^ 0 mod £ m , E* : F(m*) = 0 mod q. 

From £ m (n m + 1) < q and x ', Xi(i = 1,..., n m ) € Z^ m , we have 0 < < q and 

0 < x 1 + J2ieu x i < 1- Then F(m) = 0 mod q implies F(m) = 0 mod i m . Hence, 
F(m) ^ 0 mod £ m implies F(m) ^ 0 mod q. Since k m ,x',Xi(i = 1,... ,n m ) are 
chosen randomly, we have 

Pr[£T] =Pr[F(m*) = 0 mod q A F(m*) = 0 mod £ m ] 

=Pr[F(m*) = 0 mod £ m ]Pr[F(m*) = 0 mod q\F(m*) = 0 mod £ m ] 

_ 1 1 
£m ttm T 1 

and 

Pr[Ai2r E'\E*] = 1 - Pr[Vi=i E*} 

> 1 - J2l=iME' i \E*} 

— 1 _ Qs+qrs 
— Cm 

= 1/2 


30 


CHAPTER 2. PROXY RE-CRYPTOGRAPHY 


The probability of B not outputting failure is 

IQ 

Pr[-.f allure] > Pr [f\ E, A E*} 

i= 1 
QQ 

> Pr[/\ E[ A E*] 

i= 1 

QQ 

= Pv[E*]Pv[\J ^E' Z \E*} 

i- 1 

> 1 

2f m (n m + 1) 

Internal Security: Since a delegator in scheme S m b is also a delegatee and only one 
signature type exists in scheme S m b, we only consider limited proxy security here. 

• Queries: B builds the following oracles: 

- Opk- On input index i, B chooses a random x, £ Z*, and guesses whether 
A will issue the re-signature key queries with ( pki,pk(pk^jpk^), • • •, 
(pki j ,pk*) or pki =pk*. If it is, B sets 0i = 0 and outputs pki = ( g a ) Xi \ 
otherwise, it sets 9i = 1 and outputs pki = g Xi . Finally, B records 

(ph, Xi, Oi) in Table T k . 

- O s \ On input (phi, m), B obtains (pki, Xi, Oi) from Table T^. If 0 t = 1 , B 
returns Sign(a;i, to); otherwise, B proceeds as follows: 

* If F(m ) ^ 0 mod q, B picks a random r £ Z* and computes the 
signature as, 

= (cti,ct 2 ). 


* If F(m) = 0 mod q, B is unable to compute the signature a and out¬ 


puts failure. 
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- O r k'- On input ( pki,pkj), if 9 t = Oj, B returns rki^j = ( Xj/xi ) mod q\ 

else, B outputs failure. 

- O rs : On input ( pki,pkj,m,cr ). If Verify (pki, m, a) ^ 1, B outputs 
reject; otherwise, B queries O s with (pkj,m) and returns the resulting 
value. 

• Forgery: If B does not output failure in any query above, A will, with proba¬ 
bility at least e, return a message m* and a valid forgery cr* = (a*, cr' 2 ) on behalf 
of pk*. If F(m*) ^ 0 mod q or 9* = 1, B outputs failure. Otherwise, the 
forgery must be of the form, for some r* 

__ ^gdbx*-\-J(m*)r* g r *'j 

= (01,02). 

To solve the CDH instance, B outputs ((cr*) • (tT|) _ -d" 1 *)) 1 /®* = g ab 5 where x* 
is the corresponding value in Table Tk with pk*. 

At last, we need to bound the probability that B completes the simulation without 
outputting failure. We require the followings; 

R1 Oi = 9j in O r k- 

R2 9* = 0. 

R3 F(m) ^ 0 mod q with the corresponding 9 = 0 in O s and O rs . 

R4 F(m*) = 0 mod q. 

It is easy to see that requirements R1 and R2 will be satisfied with the probabil¬ 
ity l/2 qrk and l/q p k at least, respectively, where q r k is the number of queries to O r k- 
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Furthermore, we can use the similar analysis for external security to conclude that re¬ 
quirements R3 and R4 will be satisfied simultaneously with the probability 2£ ^ +1 ^ 
at least. 

This completes the proof. □ 

2.2.5 Incompleteness of the AH Model 

The AH model is designed for all kinds of PRS, and almost all existing PRS schemes 
are proven secure in the AH model. However, as we will see later, the AH model is 
not complete. In particular, the AH model is not suitable for the unidirectional and pri¬ 
vate proxy PRS. In this section, we propose a private proxy and unidirectional scheme, 
named S ins , which is proven secure in the AH model, but it cannot provide all the re¬ 
quired security properties. This fact shows that the AH model is not complete. 

The public parameter of scheme S lns is (q, g, G, Gt, e, H), where G and G t are 
bilinear groups with prime order q, g is a random element of G, e is an admissible 
pairing, e : G x G —> G t, and H: {0,1}* —> G is a cryptographic hash function. 

• KeyGen: It selects a random number a £ Z*, and outputs the key pair (pk, sk) = 
(. 9 a , a )• 

• ReKeyGen: On input the delegatee’s verification key pkA = g" and the delega¬ 
tor’s signing key sks = b, it outputs the re-signature key 

rk A ^B = = (r', (pk A ) r ', H(g a ' r '\\2) 1/b ), 

where r' is a random number in Z* determined by the delegator. 

• Sign: On input a signing key sk = a, a message m in message space and an 
integer i G {1, 2}, 
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- if £ — 1, it outputs an owner-type signature 

a=(A,B,C) = (H(m\\0) r ,g r ,H(g r \\l) a ), 

- if I = 2, it outputs a nonowner-type signature 

a = {A, B, C, D, E) = ( H(m\\0 ) r1 , g ", H(g r ' | |ip , g ", H{g" 112) 1 / 0 ). 

• ReSign: Given an owner-type signature er at level 1, a re-signature key = 

rk^\ B , rk^\ B ), a verification key and a message m, this algo¬ 
rithm first checks Verify^fc^, to, a, 1) = 1. If it does not hold, outputs reject; 
otherwise, outputs 


a' = (A', 


C", 


E') 

= (A, 

B , 

C rk< A-+B , 

rk {2) 

' ""A—>B> 

r rd 3 ) t 
' k a^b) 

© 

ii 

5 r , 

wnir', 

{pkA) r ', 

H{{pk A y 112) 1 / 6 ) 

o 

ii 

5 ri , 

B(g ri ||l) r2 ; 

<f 2 , 

H(g r2 112) 1 / fa ) 


Note that we set r i = r mod q and r2 = ar' mod q. 

• Verify: On input a verification key pk , a message to at level I £ {1, 2}, and a 
signature er, 

- if er is an owner-type signature er = (A, B, C) (i.e., t = 1), it checks 

e(pk,H(B\\l)) = e(g,C) and e(B,H(m\\0)) = e(g,A). 

If the two equalities both hold, it outputs 1; otherwise, outputs 0. 

- if cr is a nonowner-type signature er = (A, B , C, D , E) (i.e., £ = 2), it 
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checks 

e(g,H{D\\2)) = e(pk, E), 
e(D,H(B\\l)) = e(g,C), 
e(B,H(m\\0)) = e(g,A). 

If all the equalities hold, it outputs 1; otherwise, outputs 0. 

Correctness The correctness is due to the following equalities: 

• Owner-type signature: 

e(pk,H(B\\l)) = e(g a ,H(B\\l)) = e(g,H(B\\l) a ) = e(g,C), 
e{B 1 H{m\\Q)) = e(g r , H{m\\0)) = e(g, H(m\\0) r ) = e{g,A). 

• Nonowner-type signature: 

e(pk,E) = e(g b , H(D\\2) 1 / b ) = e(g, H(D\ |2)), 
e(D,H(B\\l)) = e(g r2 , H(B\\l)) = e(g, H(B\\iy>) = e(g,C ), 
e(B,H(m\\0)) = e(g ri , H (m||0)) = e(g, H(m\\0) ri ) = e(g,A). 

Security Analysis of Scheme Si ns The security proof of scheme Si ns is based on 
extended computational Diffie-Hellman (eCDH) assumption. That is, it is hard to com¬ 
pute g uv or g u ! v given (q , g, G, Gt, e, g u , g v ,g 1 / v ), where g is a random element in G, 
G, G t are bilinear groups with a prime order q, e is a bilinear map, GxG-> G t, and 
u, v are random numbers in Z*. 

Theorem 2.2.5. Scheme Si ns is secure in the AH model if the eCDH problem is hard, 
and hash function H is treated as a random oracle. 

Proof We show that if adversary A can break scheme Si ns in the AH model, we can 
build another algorithm B that can solve the eCDH problem. Given 


(q,g,G,G T ,e,g u ,g v ,g 1/v ), 
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B aims to output g uv or g u ! v . The PRS security game goes as follows: 

External Security. 

• Random oracle Oh ■' On input string R, B first checks whether (R, Ilf,, 77 ,, *) is 
in Table Th . If yes, B returns /?/, and terminates; otherwise, B chooses a random 
number rj, £ 2J, and proceeds as follows: 

- The input string R satisfies the format m||0, where m £ AT B guesses 
whether m is the target message m*. If yes, B outputs Rh = (g u ) Th \ other¬ 
wise, B outputs Rh = g rh ■ 

- The input string R satisfies the format m||l or m ||2, where m £ G. B 
outputs R h = ( g u ) rh . 

- The input string R does not satisfy any of the above formats. B outputs 

Rh = g rh - 

Finally, B records (R, Rh, Vh,T) in Table Th- 

• O p k'. On input index i, B first chooses a random number Xi £ Z*, and guesses 
whether it is pk*. For pki ^ pk*, it sets pki = g Xi \ for pki = pk*, it sets 
pki = ( g v ) Xi . Finally, B records ( pki,Xi ) in Table T^. 

• O s \ On input (phi, m.i),B proceeds as follows: 

- If rrii = m*, then pki ^ pk*, B chooses a random number r £ Z*, and 
outputs 

<7 = (A,B,C) = (H(m*\\0) r , g r , H(g r \\l) Xi ). 

- If mi ^ m* , then B chooses a random number r £ Z*, and checks 
whether ((g u ) r ||l, *, *, *) is in Table Th . If it exists, B outputs failure 
and aborts; otherwise B chooses a random number 7*1 £ Z*, and records 
((g ,t ’) r '||l, g ri , n, r) in Table Th- Then B checks whether (rn,||0, * 1 , * 2 , -L) 


36 


CHAPTER 2. PROXY RE-CRYPTOGRAPHY 


is in Table Th . If it exists, then B sets r 2 = * 2 ; otherwise, B chooses a ran¬ 
dom number r 2 £ Z* and records (to,j| |0, g r2 , ?’ 2 , -L) in Table Th- Finally, 

B outputs 

a = (A,B,C) = ((9 v ) rr2 ,(9 v ) r ,Pk?) = (mi\\0) vr , g vr 1 H(g vr \\l) VXi ). 

• O rs : On input ( pki,pkj,m, a, 1), where a = ( A, B , C). If Verify (phi, to, a, 1) = 

1, then B proceeds as follows; otherwise, outputs reject. 

- If pkj 7 ^ pk*, B uses Xj, associated to pkj in Table Tfc, to run ReKeyGen 
and ReSign, and gets the required re-signature. 

- If pkj = pk *, then m 7 ^ m *, and B chooses a random number r £ Z*, and 
checks whether {(g v ) Xir ||2, *, *, *) is in Table Th . If it exists, B outputs 
failure and aborts; B chooses a random number n £ Z*, and records 
((g v ) Xir 112, g ri , r±,Xir) in Table Th . 6 searches (£>||1, *i, * 2 , * 3 ) in Table 
Th, and outputs 


B', 

C", 

D', 

E') 


B, 

(. 9 v ) Xi * 2r , 

(9 v ) Xir , 

0 9 1/V ) 

ri/x t \ 

B , 

H (B\\l) XiVr 

n Xivr 

? y 5 

H(g Xi 

vr 


• Forgery: At some point, the adversary must output a forgery (pk*,m*, cr*). 

Now, we show how B gets the eCDH solution from the forgery as follows. 

• If a* is an owner-type signature, such that a* = (A *, B*, C*), then we have the 
following analysis: 

- If any owner-type signature corresponding to pk* from O s is not of the 
form (*, B*, C*), then B finds (B* ||1, , * 2 ; * 3 ) in Table Th, and gets the 
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solution of the eCDH problem: 

(C*) 1 /!®** 2 ) = (H(B*\\l) VXt ) 1 /( x **' 2 ' > = (g u * 2 vx ty/( x ** 2 ') = g uv . 


Note that pk* = {g v ) x *. 

- Once an owner-type signature corresponding to pk* from O s is of the form 

(*,£?*, C*), then B finds out (m* 110 ,* 1 ,* 2 ,* 3 ) and * 21 * 3 ) in 

Table 7), , and gets the solution of the eCDH problem: 

^*)l/(*2*3) = (77 | | 0)^*3 ) (* 2 * 3 ) = (g“'»*2*3)l/(*2*3) _ g uv _ 

Note that B* = ( g v )*3. 

• If a* is a nonowner-type signature, such that a* = (A *, B* ,C *, D*, E*), then 
we have the following analysis: 

- If any signature corresponding to pk* from O rs is not of the special form 
(*,*,*, D *, 77*), B finds (D* ||2, Aj. *") in Table Th and gets the solu¬ 
tion of the eCDH problem: 

= l K H{D*\\2) 1 ^ VXt ' > ) Xt ^ i '^ = tg u * 2 / 0 x t)\ x t /*2 = g u / v . 


Note that pk* = ( g v ) Xt . 

- If at least one signature corresponding to pk* from the output of oracles is of 
the form (*, *, *, D* , 77*), but any signature corresponding to pk* from O rs 
is not of the form (*, B* ,C* , D* , 77*), B finds out (D* | 1 2, *2 , * 3 ) and 

(77* 111, * 1 , *21 * 3 ) in Table Th and gets the solution of the eCDH problem: 

((7*) l/(*3 * 2 ) = (77(77*||1)"*3 ) 1 /(*3*2) = (gU*' 2 V*3 ) 1 /(*3*2) = g UV . 
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Note that D* = (g v )* 3 ■ 

- Once an owner-type signature corresponding to pk* from O rs is of 
the form (*, B*,C *, D*, E*), then B finds out (m*|| 0 ,*i,* 2 ,* 3 ) and 
(B\ 11, *4, * 2 , * 3 ) in Table Th, and gets the solution of the eCDH problem: 

(^4*)!/(*2*3) _ (iT( TO * ||0) , '*3) 1 /(* 2 *3) = (gUV*2*' 3 A/(*2*' 3 ) = g™ _ 

Note that B* = (g v )*' 3 . 

Notice that B guesses the right target verification key with the probability 1 / q p k at 
least, and B outputs failure in O s and O rs with the probabilities (qh + q s )/q and 
(qh + Qrs)/g at most, respectively. Here, q p k, qh> Qs, and q rs are the maximum numbers 
that A can query to O p k, Oh, O s , O rs , respectively. As a result, B solves the eCDH 
problem with a non-negligible probability. 

Internal Security. Internal security includes limited proxy, delegatee security, and del¬ 
egator security. 

Limited Proxy. 

• Oh- Identical to that in external security. 

• O p k- On input index i, B first chooses a random number Xi £ Z*, and then 
outputs pki = ( g v ) Xi . Finally, B records ( pki,Xi ) in Table T*.. 

• O s \ On input ( pki,rrii ), B proceeds as follows: 

- If to = m* and pki 7^ pk* B chooses a random number r, and checks 
whether (g r ||l, *, *, *) is in Table Th- If it exists, B outputs failure and 
aborts; otherwise, B chooses a random number n and records 


Gf||l,S , V 1 ,-L) 
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in Table Th . Finally, B outputs (H(m*\\0) r ,g r ,pkU). 

-If m / to*, then B performs the same as that in external security. 

• O r k'. On input ( pki,pkj ), B chooses a random number r £ Z*, and checks 
whether |2, *, *, *) is in Table T^. If it exists, B outputs failure and 

aborts; otherwise, B chooses a random number r\ £ Z*, records 


((<f 


i"i,Xir) 


in Table and outputs (r, ( fl , 1 A') r i/* ; >). 

Note that pki = (g v ) Xi and pkj = (g v ) Xi . 

With the similar analysis in the external security, B solves the eCDH problem with 
a non-negligible probability. 

Delegatee Security: Compared to the limited proxy, B needs to change O p k, O s k, 
O s , and O r k as follows. 

• O p k : For the target delegatee, set the verification key as (g v ) x °, and for all other 
users, g Xi , where Xi(i = 0,..., n) £ Z*. 

• O s k■ On input pki , B returns the corresponding x t . 

• O s \ On input (pk(). rrii), B performs the same as in O s with input ( pk*,rrii ) in 
external security, where pko is treated as pk*. 

• O r k■ On input (pki,pkj), where pkj ^ pko, B performs the same as in the real 
execution since it knows Xj corresponding to pkj. 

With the similar analysis in the external security, B solves the eCDH problem with a 
non-negligible probability. 

Delegator Security: Compared to the limited proxy, B needs to change O p k, O s , 


and O r k as follows: 
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• O p k : For the target delegator, set the verification key as (g v ) x °, and for all other 
users, g x ‘, where Xj(i = 0,..., n) eZJ. 

• O s k- On input pki, B returns the corresponding . 

• O s \ On input ( pko,rrii ), B performs the same as in O s with input ( pk* ,rrii ) in 
external security, where pko is treated as pk*. 

• O r k : On input ( pki,pkj ), B proceeds as follows: 

- If pkj ^ pkg, B gets Xj from Table Tk, and uses Xj to run 
ReKeyGen (pki, pkj). In the end, B outputs the result of ReKeyGen. 

- If pkj = pko, B chooses a random number r £ Z* and checks 
whether (pk x ||2, *,*,*) is in Table Th . If it exists, B outputs failure 
and aborts; otherwise, B chooses a random number r\ £ Z*, records 
(pk\ 112, g ri , ri, _L) in Table Th, and outputs (r,pk x , (g 1 ^ v ) ri ^ x °). 

With the similar analysis in the external security, B solves the eCDH problem with 
a non-negligible probability. Note that in this case, the forgery a* is an owner-type 
signature. 

This completes the proof. □ 

An Attack on Scheme S lns : Although the security proof of scheme S rns in the AH 
model is given before, there exists the following attack. Let us now consider the case: 
Alice —> Proxy —» Bob, i.e.. Bob delegates his signing rights to Alice via Proxy. First, 
Alice can produce an owner-type signature on ?n: er a = (H(m\\0) r , g r , H(g r \\l) a ), 
where r is known to Alice. Then Proxy can transform a a into Bob’s signature 
crh = (H(m\\0) r ,g r ,(H(g r \\l) a y k *^b,rk^\ b ,rk < 'J i \ b ). In this case, Alice can gen¬ 
erate signatures on any message simply by changing m to to', since she knows r. 
This shows that scheme Si ns is insecure. Hence, the AH model is not suitable for pri¬ 
vate proxy and unidirectional scheme. Since most of the existing unidirectional PRS 
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schemes are private proxy and unidirectional schemes, it is desired to propose a new 
security model to solve this problem. 

Remark 2.2.6. In fact, the AH model does not consider the attack that the delegatee tries 
to forge a valid nonowner-type signature of the delegator without colluding with the 
proxy. 

The main reason why scheme Si ns is insecure is that algorithm ReSign does not 
affect the value A containing the message m in the owner-type signature. However, the 
schemes in [11,193] do not have this flaw. 

2.2.6 AH+ Model 

In this section, we propose a new security model for private proxy and unidirectional 
PRS. Due to its simplicity, it is easy to verify its completeness. 

Before giving our security model, we will first define several terms. 

1. If user A delegates his signing rights to user B via proxy P, then both users A 
and B are said to be in a delegation chain, denoted as (B, A) . User B is called 
user ,4’s delegation predecessor. The combination of the proxy and a user, either 
the delegatee B or the delegator A, is called a delegation pair. Therefore, user A 
and proxy P is a delegation pair, so is user B and proxy P. 

2. If one of the parties in a delegation pair is corrupted, the delegation pair is cor¬ 
rupted', otherwise, it is uncorrupted. 

3. A user can be treated as the smallest delegation chain. 

4. If two users A and B are in a delegation chain and B is A’s delegation predeces¬ 
sor, P’s signature can be transformed by a proxy or proxies into A’s signature. 

5. A delegation chain is its own subchain. 
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6. (Only for multiuse.) If user A delegates his signing rights to user B via a proxy 
P, and user B delegates his signing rights to user C via a proxy P', users A and C 
are said to be in a delegation chain too. User C is also called user A’s delegation 
predecessor. In this case, users A, B, and C are in a delegation chain (C, B, A). 
The delegation chains (B,A) and (C,B) are delegation subchains of the dele¬ 
gation chain (C,B,A). The delegation chain (C,B,A) can be extended if C 
delegates his signing rights to another user via another proxy. 

Existential Unforgeability of Private Proxy and Unidirectional Proxy Re- 
Signature: The existential unforgeability of private proxy and unidirectional PRS is 
defined by the following adaptively chosen-message attack game played between a chal¬ 
lenger C and an adversary A. We consider the security in a static situation, that is, before 
the game starts, the adversary should decide which users and proxies are to be corrupted. 
Furthermore, the challenger generates all the verification keys in the following game. 
Queries: The adversary adaptively makes a number of different queries to the chal¬ 
lenger. Each query can be one of the following: 

• O p k■ On input an index i, the challenger first runs KeyGen(l A ) to get a 
key pair (phi, ski), and then forwards the verification key pki to the adver¬ 
sary. Finally, the challenger records (pki, ski) in Table 7} c . In the following 
oracles, ski is the signing key corresponding to pki. 

• O s k : On input a verification key pk,, the challenger responds with sk, which 
is the associated value with pki in Table T k , if pki is corrupted; otherwise, 
the challenger responds with reject. 

• O r k : On input two verification keys pki,pkj ( pki pkj), the challenger 

responds with ReKeyGen (pki,pkj, skj). 

• O s : On input a verification key pk, and a message rrii, the challenger re¬ 


sponds with Sign (ski, m, 1). 
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• O rs : On input two verification keys pki,pkj ( pki ^ pkj ), a message m t , 
and a signature a, at level /;, the challenger responds with 

ReSign(ReKeyGen(pfcj,p/Cj , skj),pki, mt , Uj, I). 

Forgery: The adversary outputs a message to*, a verification key pk* , and a signature 
cr* at level /:'*. The adversary wins if all the following requirements are satisfied: 

• Merif y(pk*,m*, a* ,£*) = 1. 

• pk* is uncorrupted. 

• The adversary has not made a signature query on (pk*, m*). 

• The adversary has not made a signature query on (pk' ,m*), where pk' is 
uncorrupted, and there exists such a delegation subchain from pk' to pk* 
that does not contain any uncorrupted delegation pair; 

• The adversary has not made a re-signature key query on (pki,pkj), which 
satisfies all the following conditions: 

- pki is corrupted, 

- pkj is uncorrupted, 

- There exists such a delegation subchain from pkj to pk* that does not 
contain any uncorrupted delegation pair. 

• The adversary has not made a re-signature query on (pki,pkj,m*,<Ji,*), 
where pkj is uncorrupted, and there exists such a delegation subchain from 
pkj to pk* that does not contain any uncorrupted delegation pair. 

We define Adv™ s (A) to be the probability that adversary A wins in the above game 
for the security parameter A. 

Definition 2.2.7. A private proxy and unidirectional scheme is existentially unforge- 
able with respect to adaptive chosen message attacks if for all p.p.t. adversaries A, 
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Adv™ s (A) is negligible for the security parameter A. 

Remark 2.2.8 (Requirement). The requirements for the adversary’s success guarantee 
that (pk*,m*,a*,£*) is a valid signature; the adversary cannot trivially obtain a valid 
owner-type signature by obtaining the signing key; the adversary cannot trivially ob¬ 
tained a valid owner-type signature by the signature oracle; and the adversary cannot 
trivially obtain a valid nonowner-type signature by the re-signature key oracle and re¬ 
signature oracle. 

Remark 2.2.9 (Chosen-Key Model). Following the spirit in [193], we can easily extend 
our security model into the chosen-key model [23], where the certificate authority does 
not need to verify that the owner of one verification key indeed knows the corresponding 
signing key. In particular, the challenger is no longer responsible for generating the key 
pairs for corrupted users, and the adversary generates all the corrupted verification keys 
involved in other oracles. 

The static mode can be modified to adaptive mode by removing the restriction that 
the adversary should decide which users and proxies are to be corrupted before the game 
starts. 


2.3 Proxy Re-Encryption 

Proxy re-encryption (PRE) is also proposed by Blaze et al. [29] at Eurocrypt 1998. 
In such an encryption scheme, a semi-trusted proxy, holding some information (a.k.a. 
re-encryption key), can transform a ciphertext under one public key (delegator Alice) to 
another ciphertext under another public key (delegatee Bob). These two ciphertexts are 
corresponding to the same plaintext. However, the proxy cannot obtain the plaintext. 

2.3.1 Properties and Definition 


PRE has the similar desired properties with PRS. 
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• Unidirectional: In this scheme, a re-encryption key allows the proxy to transform 
Alice’s ciphertext to Bob’s but not vice versa. In a bidirectional scheme, on the 
other hand, the re-encryption key allows the proxy to transform Alice’s ciphertext 
to Bob’s as well as B’s ciphertext to Alice’s. 

• Multiuse: In a multiuse scheme, a transformed ciphertext can be re-transformed 
again by a proxy. In a single-use scheme, the proxy can transform only the ci¬ 
phertexts that have not been transformed. 

• Private proxy: The proxy can keep the re-encryption key as a secret in a private 
proxy scheme, but anyone can recompute the re-encryption key by observing the 
process of re-enncryption passively in a public proxy scheme. 

• Transparent: In a transparent scheme, users may not even know the existence of 
a proxy. 

• Key-optimal: In a key-optimal scheme, a user is required to protect and store only 
a small constant amount of secrets no matter how many decryption delegations 
the user gives or accepts. 

• Noninteractive: The delegatee is not required to participate in delegation process. 

• Non-transitive: A re-encryption key cannot be generated from two other re¬ 
encryption keys. For example, the re-encryption key from Alice to Bob cannot be 
generated from the re-encryption keys from Alice to Tina and Tina to Bob. 

• Temporary: A re-encryption right is temporary. This can be done by either re¬ 
voking the right [11] or expiring the right. 

• Collusion-resistant: The delegator can delegate the decryption rights to the dele¬ 
gatee via the proxy, while keeping signing rights for the same public key. 
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Definition 2.3.1 (Proxy Re-encryption). A PRE scheme is a tuple of p.p.t. algorithms 
KeyGen, ReKeyGen, Enc, ReEnc, Dec. 

• KeyGen: It takes as input the security parameter A, and returns a public key pk 
and a private key sk. 

• ReKeyGen: It takes as input delegator Alice’s key pair (pkA, skA) and delegatee 

Bob’s key pair ( pks , sand returns a re-encryption key rkA^B for the proxy. 
If the PRE scheme is unidirectional, the delegatee’s private key is not included 
in the input. If the PRE scheme is bidirectional, then the proxy can easily obtain 
rks^-A from rk^t-j-B- In many bidirectional schemes [65], = 1 /rks^A- 

• Enc: It takes as input a public key pk , a positive integer £, and a message m 
from the message space, and returns a ciphertext at level £. If the PRE scheme is 
single-use, then £ £ {1,2}. 

• ReEnc: It takes as a re-encryption key rkA->B and a ciphertext Ca under pkA at 
level £, and returns the ciphertext C'n under pks at level £+1. If the PRE scheme 
is single-use, then £ = 1 and it can be omitted. 

• Dec: It takes as input a private key sk and a ciphertext C at level £, and returns m 
in the message space or a special symbol reject. 

Correctness. The correctness property has two requirements. For any message m in 
the message space and any key pairs {pk,sk),{pk',sk') £- KeyGen(l A ). Then the 
following two conditions must hold: 

Dec(sfc, Enc (pk, m, £),£) = m and 

Dec(sfc , ) ReEnc (ReKeyGen(sfc,pfc / ), C, £), £ + 1) = TOj 

where C is the ciphertext for message m under pk from algorithm Enc or ReEnc. 



2.3. PROXY RE-ENCRYPTION 


47 


2.3.2 Related Work 

Since the introduction of PRE by Blaze et al. [29], there have been many papers 
[7, 9,10, 29, 65, 86,96,130, 145,156,246] that have proposed different PRE schemes 
with different security properties. 

The first bidirectional, multiuse PRE scheme secure against chosen-plaintext attack 
(CPA) was proposed by Blaze et al. [29]; however, it is not collusion resistant. Based 
on public key encryption with double trapdoors, Ateniese et al. [9, 10] proposed the 
first collusion resistant, unidirectional, single-use PRE schemes with CPA security. At 
TCC 2007, Hohenberger et al. [145] proposed a new collusion resistant, CPA-secure, 
unidirectional PRE scheme, where the re-encryption key together with the re-encryption 
algorithm can be treated as an obfuscated re-encryption program. 

However, many PRE’s applications, such as the distributed file system, demand that 
the underlying PRE scheme is secure against chosen-ciphertext attack (CCA). To solve 
the problem, Canetti and Hohenberger [65] and Ateniese and Green [130] proposed the 
definition of CCA security independently. There are two kinds of CCA-secure PRE 
schemes: with pairings and without pairings. 

By using pairings and the CHK paradigm [36,63], Canetti and Hohenberger [65] 
proposed the first CCA-secure (bidirectional) PRE scheme in the standard model. How¬ 
ever, their scheme suffers from collusion attacks. Furthermore, they didn’t propose any 
CCA-secure unidirectional PRE scheme, and left it as an open problem. Based on 
Canetti-Hohenberger technique, Libert and Vergnaud [194,195] proposed a new unidi¬ 
rectional PRE scheme that is CCA-secure and collusion resistant in the standard model. 
Recently, Weng et al. [293] and we [248] proposed CCA-secure and collusion-resistant 
unidirectional PRE schemes by improving Libert and Vergnaud’s method. 

Due to the heavy cost of pairing computation, it is desired to design CCA-secure 
PRE schemes without pairings. We [246] and Chow et al. [86] proposed CCA-secure 
and collusion-resistant unidirectional PRE schemes without pairings. However, the pro- 
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posed schemes are only proven secure in the random oracle model. Most recently, Mat- 
suda et al. [210] proposed a new pairing-free, CCA-secure (bidirectional) PRE scheme, 
which is proven secure in the standard model. However, it suffers from the collusion 
attack. Furthermore, Weng et al. [295] pointed out that the scheme of Matsuda et al. is 
not CCA-secure, but they did not suggest any improvement. 

In 2009 *, we [249] proposed a generic construction for CCA-secure, single-use, 
unidirectional PRE from CCA-secure (2,2) threshold public key encryption. With 
the generic construction, we can obtain two kinds of single-use, unidirectional PRE 
schemes. One is secure in the random oracle model without pairings, and the other is 
secure in the standard model with pairings. At CT-RSA 2012, Hanaoka et al. [136] 
obtained a similar result by using similar methods. 

There are also some PRE schemes with some special properties, such as thresh¬ 
old [249], conditional [255,272,294], invisible proxy [160,272], identity-based [130, 
255,283], anonymous [7,253,254], and searchable [247]. 

In the rest of this section, we first introduce the security models of (unidirectional) 
PRE. In what follows, we introduce the PRE scheme [246] proposed at PKC 2009. 

2.3.3 Security Models 

Usually, unidirectional PRE is better than bidirectional PRE. For example, the del¬ 
egator delegates his decryption rights to the delegatee, the delegatee does not always 
want to do the reverse delegation. Furthermore, any unidirectional scheme can be eas¬ 
ily transformed to a bidirectional one by running the former in both directions, while 
whether the reverse holds is unknown. Hence, we only give the security models for 
single-use unidirectional PRE and multiuse unidirectional PRE in this section. 

The security models below are defined by games played between a challenger C and 
an adversary A. We assume that the public keys input into the oracles by the adversary 
'The paper [249] was published online in May, 2009. 
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are all from public key generation oracle O p k- We say that a public key is corrupted if 
it has been queried to private key generation oracle O s k by the adversary. 

Chosen Ciphertext Security for Single-use, Unidirectional Proxy Re-encryption 
(SUPRE) 

In almost all existing unidirectional PRE schemes except one [119], there are two 
types of ciphertexts. One is original ciphertext (£ = 1) that can only be generated 
by Enc, and the other is re-encrypted ciphertext (£ = 2) that can be generated by not 
only Enc but also ReEnc. Hence, we have two security models for SUPRE, one aims 
to protect the plaintext corresponding to the original ciphertext, and the other aims to 
protect the plaintext corresponding to the re-encrypted ciphertext. 

The challenge ciphertext is an original ciphertext. 

Setup: The challenger sets up the system parameters. 

Phase 1: The adversary A can issue the following queries adaptively. 

• Public key generation oracle O p k- The challenger takes a security parameter k, 
runs KeyGen(l A ) to generate a key pair (phi, ski), gives phi to A and records 
(phi, ski) in Table 71-. In the following, ski is the corresponding private key to 

ph. 

• Private key generation oracle O s k : On input pki, the challenger searches for pki 
in Table I), and returns sk t . 

• Re-encryption key generation oracle O r k : On input ( pki,pkj ), the challenger 
returns the re-encryption key rkij = ReKeyGen (ski,pkj). 

• Re-encryption oracle O re : On input {pk ,, pkj, C), the challenger returns the re¬ 
encrypted ciphertext C' = ReEnc(ReKeyGen(sfc,;,pfc :/ ), C). 
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• Decryption oracle Odec■ On input ( pki, Ci ), the challenger returns Dec(sfc,;, Ci). 

Challenge: Once Phase 1 is over, A outputs two plaintexts Too, mi with equal length 
from the message space, and a public key pk* on which A wishes to challenge. There 
are two restrictions on the public key pk*: (i) pk* has not been queried to O s j.\ (ii) 
if {pk*, ★) has appeared in any query to O r k, ★ should not be queried to O s k- The 
challenger picks a random bit b £ {0,1} and sets C* = Enc(pfc*, mb). It sends C* as 
the challenge to A. 

Phase 2: This phase is almost the same as Phase 1 but with the following constraints: 

• O s k'. On input pki, if pki = pk*, the challenger outputs re j ect. 

• O r k', On input ( pki,pkj), if pki = pk*, and pkj is corrupted, the challenger 
outputs reject. 

• O re : On input {pki,pkj, Ci), if {pki, Ci) = {pk*,C*) and pkj is corrupted, the 
challenger outputs reject. 

• Odec'- On input {pki, Ci), if {pki, Ci) is a derivative (see the part after Defi¬ 
nition 2.3.2 below) of {pk*,C*), the challenger outputs reject. 

Guess: Finally, the adversary A outputs a guess b' £ {0,1} and wins the game if 

b = b'. 

We refer to such an adversary A as a CCA-O adversary. We define adversary dTs 
advantage in attacking SUP RE as the following function: 

AdvK(A) = |Pr[b = b']-l/2|. 

Using the CCA-O game, we can define CCA-O security of SUPRE. 

Definition 2.3.2. [CCA-O Security] We say that a single-use, unidirectional PRE 
scheme SUPRE is CCA-O-secure, if for any polynomial time CCA-O adversary A, 
the function AdVgyp^(A) is negligible. 
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The core of PRE’s security is the definition of derivatives of ciphertext. Derivatives 
of (pk*, C*) could be obtained by combining some of the following rules: 

R-l (pk*. C*) is a derivative of itself. 

R-2 If A has queried O re on input (pk* ,pk,C *) and obtained C, (pk, C) is a derivative 

of (pk*,C*). 

R-3 If A has queried O r k on input (pk*,pk) and C ReEnc (O r k(pk*,pk),C*), 

(pk, C) is a derivative of (pk*,C*). 

R-4 If A has queried O r k on input (pk*,pk) and Dec(pfc, C) G {mo, mi}, (pk, C ) is 
a derivative of (pk*, C*). 

R-5 If (pk, C) is a re-encrypted ciphertext and Dec (pk, C ) € {mo, mi}, (pk, C) is a 
derivative of (pk*,C*). 

The definition of derivatives we use in this section consists of relations R-l, R-2, 
and R-3, named Defter- The single-use unidirectional case extended from the Canetti- 
Hohenberger definition [65] corresponds to relations R-l, R-2, and R-4, and the Libert - 
Vergnuad definition [194,195] consists of items R-l and R-5. 

R-l is the trivial reflexive relation. R-2 models the direct consequence of the re¬ 
encryption process. R-5 follows the spirit of the definition of re-randomizable CCA 
security for the re-encrypted ciphertext. One possible stronger rule (as R-4) is that only 
when A has queried the required re-encryption key, then all re-encrypted ciphertexts 
that are generated by such a key and have either one of the challenge messages as the 
plaintext are disallowed to be queried to Odec■ P-3, in a strict sense, is still deviated 
from the regular CCA security since a class of ciphertexts instead of a single ciphertext 
is disallowed. 

Most importantly, Def oer disallows a smaller class of ciphertexts when compared 
with other definitions. Consider an adversary which has queried the re-encryption oracle 
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with ( pk*,pk, C*) and obtained (pk, C), where pk is an uncorrupted user. It is possible 
that this adversary can change C into C' while the adversary does not require to run 
ReEnc algorithm, yet the output of Dec (C,pk) equals to the one of Dec (C' ,pk), or 
it can be computed easily from the one of Dec (C',pk). According to the extension 
of the Canetti-Hohenberger definition and the Libert-Vergnaud definition, (pk, C’) is a 
derivative of (pk*, C*). However, (pk, C') is not a derivative of (pk*, C*) in Defter- 
Essentially, Defter only takes the re-encrypted ciphertext obtained directly either 
from the algorithm ReEnc or the oracle O re as the derivative. This feature makes 
De f der closer to the CCA security definition for the typical public key encryption. 

The challenge ciphertext is a re-encrypted level ciphertext. The CCA-R security 
of SUPRE is defined by the same approach of the CCA-O security. 

Phase 1, Guess: Identical to that in CCA-O game. 

Challenge: Once Phase 1 is over, A outputs two plaintexts mo, m\ with equal length 
from the message space, and two uncorrupted public keys pk,pk* on which A 
wishes to challenge. The challenger picks a random bit b € {0,1} and sets 
C* = ReEnc (rk, Enc (pk, mb)), where i'k is a re-encryption key from pk to pk*. 
It sends C* as the challenge to A. 

Phase 2: Almost the same as in Phase 1 but with the following constraints: 

• O s k : On input pki, if pki = pk or phi = pk*, the challenger outputs 
reject. 

• Odec- On input (pki, Ci), if (pki, Ci ) = (pk*,C*), the challenger outputs 
reject. 

We also define Advgup^(A) = |Pr[b = b'] — 1/2| for the security parameter A as 


in CCA-O security. 
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Definition 2.3.3 (CCA-R Security). We say that a single-use, unidirectional PRE 
scheme SUP RE is CCA-R-secure, if for any polynomial time CCA-R adversary A the 
function Adv^^(A) is negligible. 

Remark 2.3.4. There is another security, named collusion resistance, guaranteeing that 
any collusion of delegatee and proxy cannot lead to the reveal of the delegator’s private 
key. It is easy to see that the CCA-R security implies collusion resistance, since anyone 
obtaining the delegator’s private key can definitely decrypt the re-encrypted ciphertext 
for the delegator. 

Chosen-Ciphertext Security for Multiuse, Unidirectional Proxy Re-Encryption 

Before giving our security model, we will first define several terms for PRE. 

• If user A delegates his decryption rights to user B via a proxy P, then both users 
A and B are said to be in a delegation chain, denoted as (A, B) . If user B del¬ 
egates his decryption rights to user C via a proxy P', then users A and C are 
said to be in a delegation chain too, the resulting delegation chain is denoted as 
(A, B, C) . If user C delegates his decryption rights to other people, the delega¬ 
tion chain is further extended. 

• One user is the smallest delegation chain. 

• If the first and last user in a delegation chain are users A and B, respectively, then 
the delegation chain can be denoted as (A, ..., B). 

• For a delegation chain (A,..., B), if the ciphertext for user A can be transformed 
to the ciphertext for user B by the outputs of the re-encryption key generation 
oracle and the private key generation oracle, the delegation chain (A, .. ., B) is 
corrupted', otherwise, it is uncorrupted. 

Now, we give the CCA security for multiuse, unidirectional PRE MUPRE by the 


following CCA game. 
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Setup: C sets up the system parameters, and sends the system parameters to A. 

Phase 1: A adaptively issues the following queries: 

• Public key generation oracle O p k: On input an index i, C first takes a se¬ 
curity parameter 1 A , and then runs algorithm KeyGen(l A ) to generate a key 
pair ( pki,ski), gives pk, to A and records (phi, ski) in Table T^. In the 
following oracles, ski is the private key corresponding to pki. 

• Private key generation oracle O s k : On input pki, C searches pki in Table 
Tk and returns the associated ski. 

• Re-encryption key generation oracle O r k■ On input ( pki,pkj ), C returns the 
re-encryption key rk lt3 = ReKeyGen(sfci,p/c :) ). 

• Re-encryption oracle O re : On input ( pki,pkj,(£,C )), C returns the re¬ 
encrypted ciphertext 

(£+ 1 ,C) <— ReEnc(ReKeyGen(ski,pkj), (£, C)). 

• Decryption oracle Odec- On input (pk, (£, C)), C returns Dec(sfc, (£, C)). 

Challenge: Once Phase 1 is over, A outputs two plaintexts too, m.\ with equal length 
from the message space, a positive integer £*, a set of public keys {pki 3 }jZi 
and an uncorrupted public key pk* on which A wishes to challenge. There is one 
constraint on the public key pk*, i.e., there does not exist a corrupted delegation 
chain from pk* to a corrupted public key. C picks a random bit b <E {0,1} and 
sets 

C* = ReEnc(ReKeyGen(sfc*,pki f ,_ 1 ), ReEnc(ReKeyGen(sfci „ ,pki ,*_ 2 ), • • • , 
ReEnc(ReKeyGen(sfei 1 ,pki 2 ), Enc(pfci, mb))))- 


It sends (£*, C*) as the challenge to A. 
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Note that when £* = 1, then {pk tj } 1 is an empty set, and C* = 

Enc (pk*, mb). 

Phase 2: A adaptively issues more queries: 

• O p k : Identical to that in Phase 1. 

• O s k'. On input phi , if there exists a corrupted delegation chain from pk* to 
pki, C outputs reject; otherwise, C executes the same steps as in Phase 1. 

• O r k'. On input ( pki, pkj ), if one of the following conditions holds, C outputs 
reject; otherwise, C executes the same steps as in Phase 1. 

- pki is uncorrupted and pkj is corrupted, and there is a corrupted dele¬ 
gation chain from pk* to pki. 

- pki is uncorrupted and pkj is corrupted, and there is a corrupted dele¬ 
gation chain from pk to pki, where the adversary has a derivative 
(see below) of (pk*, (£* ,C*))\ (pk, (£, C)). 

The definition of derivatives of (pk* ,(£* ,C*)) is different from that in 
single-use case. 

1. (pk*, (£*, C* )) is a derivative of itself. 

2. If (pk, (l, C)) is a derivative of (pk*, (£* ,C*)) and (pk', (£', C')) is a 
derivative of (pk, (£, C)), (pk 1 , (£', C')) is a derivative of (pk*,C*). 

3. If (pk', (£', C')) i — O re (pk,pk', (£, C)), (pk', (£', C')) is a derivative 
of (pk,(£,C)). 

4. If ((!,C') «— ReEnc (O r k(pk,pk'), (£,C)), (pk', (£’,C’)) is a deriva¬ 
tive of (pk, (£, C)). 

5. If (£',C) «— ReEnc(ReKeyGen (sk,pk'),(£,C)), (pk', (£', C')) is a 
derivative of (pk, (£, C)), where sk is the private key of pk. 

• O re ■ On input ( pki,pkj,(£,C )), if (pki, (£,C)) is a derivative of 
(pk*, (£*,C*)), and there is a corrupted delegation chain from pkj to a 
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corrupted public key or pkj is corrupted, C outputs reject; otherwise, C 
responds the same as in Phase 1. 

• Odec'- On input {phi, (£, C)), if {ph, (£, C)) is a derivative of 

(pk*,(£*,C*)), C outputs reject; otherwise, C responds the same as in 
Phase 1. 

Guess: Finally, A outputs a guess b' £ {0,1} and wins the game if b = b'. 

We also define Adv^up RE (A) = |Pr[b = b'] — 1/2| for the security parameter A as 
that in CCA-O security for SUP RE. 

Definition 2.3.5 (CCA Security). We say that a multiuse, unidirectional PRE scheme 
MUPRE is CCA-secure, if for any polynomial time CCA adversary A the function 
Adv wpR E ( A ) is negligible. 

Collusion Resistance for Multiuse, Unidirectional Proxy Re-encryption 

We still use the above method to define collusion resistance. In the CR game, there 
exist the same oracles as that in Phase 1 of the CCA game for multiuse, unidirectional 
PRE. In the end, the adversary wins the game if it outputs the private key of an uncor¬ 
rupted user. The adversary is named as a CR adversary. 

Definition 2.3.6. We say that a multiuse, unidirectional PRE scheme MUPRE is collu¬ 
sion resistant, if for any polynomial time CR adversary A the function Adv^p^(A) is 
negligible. 

Remark 2.3.7 (CCA Security vs. Collusion Resistance). Unlike the single-use unidirec¬ 
tional proxy, the CCA security (for /-level ciphertext, Z > 1) of multiuse, unidirectional 
PRE cannot guarantee the CR security, since in the CCA game, the adversary cannot 
query O r i, : to get the re-encryption key from the target user to any corrupted users, but 
it is allowed in the CR game. 
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2.3.4 Single-Use, Unidirectional Scheme 

From the security model of SUPRE, we see that there are three sufficient conditions 
for CCA-secure SUPRE: 

1) Each of the proxy and delegator can verify the validity of the original ciphertext. 

2) The delegatee can verify the validity of the re-encrypted ciphertext. 

3) The delegatee colluding with the proxy cannot get the private key of the delega¬ 
tor. 

The first condition can be easily met if the original ciphertext is publicly verifiable. 
There are many methods to obtain public verifiability, such as signature of knowledge. 
There are as well many methods to get the second condition such as Fujisaki-Okamoto 
conversion [115]. The last condition is usually the most difficult one to realize on de¬ 
signing CCA-secure unidirectional PRE. From the definition of PRE, the delegatee col¬ 
luding with the proxy can definitely get a value that can be used to do decryption as the 
private key of the delegator. Hence, the value, obtained by the collusion of the delegatee 
and proxy, should not be the real private key of the delegator, instead a sub-private key. 
The similar concept of sub-private key has appeared in other cryptographic primitives, 
such as public key encryption with double trapdoors (both trapdoors can be used to do 
decryption, and one trapdoor can be computed from another one but not vice versa). 

Following the above method, we [246] proposed the first CCA-secure, single¬ 
use, unidirectional PRE scheme S'supre in the random oracle model by using Fujisaki- 
Okamoto conversion, signature of knowledge and the public key encryption with double 
trapdoors proposed by Bresson et al. [54] (named BCP03). 

Signature of Knowledge 

The following noninteractive zero-knowledge proof of knowledge, named signature 
of knowledge of equality of two discrete logarithms [8,61,258], will be used in follow- 
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Definition 2.3.8. Let yi,y 2 , 9 , h £ G, G be a cyclic group of quadratic residues modulo 
N 2 ( N is a safe-prime modulus), and H(-) : {0,1}* — > {0,1} A (A is the security 
parameter). A pair (c, s), verifying c = H(yi\\y 2 \\g\\h\\g s yl\\h s y^Wm) is a signature 
of knowledge of the discrete logarithm of both y\ = g x w.r.t. base g and y^ = h x w.r.t. 
base h, on a message m £ {0,1}*. 

The party in possession of the secret x is able to compute the signature, provided 
that x = log ff yi = log^ y 2 , by choosing a random t £ {0,..., 2l Ar ~l +fc — 1} (|n| is the 
bit-length of n). And then computing c and s as: 

c = ^(yill^lMI/ill^ll^lIro) and s = t-cx. 

We denote SoK.Gen(y l7 y 2 , g, h. m) as the generation of the proof. 

The Public Key Encryption with Double Trapdoors: BCP03 

The following description is from [54], Let N = pq be a safe prime modulus like 
p = 2 p' + 1, q = 2 q' + 1, and p,p' , q, q' are primes. Assume G is the cyclic group of 
quadratic residues modulo N 2 , then the order of G is Np'q'. 

• KeyGen: Choose a random element a £ Z* N 2 , a random value a £ [1, Np'q'], 
and set g = a 2 mod N 2 and h = g a mod N 2 . The public key is (N, g, h) and 
the private key is a. 

• Enc: On input a public key pk and a message m £ the ciphertext (A, B) is 
computed as 


A = g r mod N 2 , B = h r (1 + mN) mod N 2 , 


where r is a random number from Z ; y 2 . 
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• Dec: There are two methods to decrypt: 

- Knowing a, one can compute m by 

B/(A a ) - 1 mod N 2 
m= -TV-' 

- Knowing //, q', one can compute m by 

D - 1 mod N 2 

m = -• 7r mod TV, 

TV 

/ _ \2pV 

where D = l ) , w 3 = ar mod TV, ar mod pqp'q' = w i + w 2 TV, 

7r is the inverse of 2p'g' mod TV. 

Note that the values of a mod TV and r mod TV can be computed given 
h = g a mod TV 2 , A = g r mod TV 2 , and p 1 , q', by the method in [225] 
(Theorem 1 in [225]). 

The Description of Scheme ,S' SU phe 

Scheme Ssupre contains three cryptographic hash functions: iTi(-) : {0,1}* —> 
{0, l} Al , iJ 2 (-) : {0,1}* -> {0, l} n , and H 3 {-) : {0,1}* -> {0, 1} X \ where Ai and A 2 
are the security parameters, n is the bit-length of messages to be encrypted. The details 
are as follows: 

• KeyGen: Choose a safe-prime modulus TV = pq, three random numbers a £ 

Z* N 2 , a, & € [l,pp'qq'], a hash function iT(-), where p = 2p' + 1, q = 2 q 1 + 1, 
p, p', q , q' are primes, and H(-) : {0,1}* —> Furthermore, set g 3 = 

a 2 mod TV 2 , g\ = g 3 a mod TV 2 , and g 2 = g 3 b mod TV 2 . The public key is 
pk = (H(-), N, go, gi, g 2 ), the sub-private key is wsk = ( a,b ), and the private 
key is sk = (p,q,p',q'). 
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ReKeyGen: On input a public key pky = (Hy(-), Ny, gyo, 9 yi, 9y2), a sub¬ 
private key wskx = ax, and a private key skx = {px,qx,Px>9x)’ it out ' 
puts the unidirectional re-encryption key rkx^y = (r k x \ Y i rk x \ Y ), where 
r kx\y = {A, B, C), and computed as follows: 

- Choose two random numbers a £ Zjv, $ £ {0, l} Al . 

- Compute rk y x \ Y = a x - P mod (pxqxp'xQx)- 

- Compute r x ^y = Hy(&\\/3), A = (g Y0 ) rx ^ Y mod (N Y ) 2 , C = 
ffi(d)©/3, 

B = {g Y 2 ) rx ^ Y ■ (1 + ctN y ) mod ( Ny ) 2 (2.1) 

Enc: On input a public key pk = (if(-), TV, go, 9i, 92 ) and a message m £ 
{0,1}", it proceeds as follows: 

- Choose a random number cr £ Z X - 

- Compute r = H(a\\m), A = ( g 0 ) r mod TV 2 , C = H 2 (a) © m, D = 
(g 2 ) r mod TV 2 , 

B = ( 9l ) r • (1 + crTV) mod TV 2 . (2.2) 

- Run (c, s) ■£- SoK.Gen(A, D, go, g 2 , {B, C)), where the underlying hash 
function is /7 ;) . 

- Output the ciphertext K = (A , B , C, D 1 c, s). 

ReEnc: On input a re-encryption key rkx^Y = ( r k x ^Y- r ^x\y) and a c i~ 
phertext K = ( A , B, C, D, c, s ) under key pk x = (H x {-),N x ,gx 0 , 9 xi, 9 x 2 ), 
check whether c = H 3 (A\\D\\gxo\\gx 2 \\{gxo) s A c \\{gx 2 ) s D c \\(B\\C)). If not 
hold, output re j ect and terminate; otherwise, re-encrypt the ciphertext to be one 
under key pky as: 
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- Compute A! = A rk xAv = ( gxo) r> ' ax ^ m od ( Nx ) 2 . 

- Output the new ciphertext (A, A! , B, C, rk Y l^ Y ) = (A A', B , 67, A, fj, C). 

• Dec: On input a private key and any ciphertext K, parse K — ( A , B, C, I). c, s), 
or K = ( A , A',B,C,A,B,C). 

- Case K = (A, B, C, D , c, s): Check whether 

c = J? 3 (4l||0|| 5 o||52||(5o)M c ||( 52 ) s D c ||(i?||t7)), 

if not, output reject and terminate; otherwise, 

* compute a = B ^ A ^ mod N , if the input private key is the sub¬ 
private key a; 

, (B/a^ 1 ) 2p,q ' — 1 mod N 2 / i AT \ , 

* compute a = 0 —^- • 7r(modiV), where w i is com¬ 

puted as that in scheme BCP03, and n is the inverse of 2p'q f mod N, 
if the private key is the private key (p, Q,p', </)• 

Compute 771 = 67© H 2 {a), if A = (g 0 ) H(allm) and B = ( gi ) H 0\\™) . 
(1 + aN) mod N 2 both hold, output m; otherwise, output reject and 
terminate. 

- Case K = (A, A'. 11. 67, A , II, 67); In this case, the decryptor should know 
the delegator’s (Alice’s) public key (TJ'(-), N ', g' 0l g^g^)- 

* If the input private key is the sub-private key b, compute 

B/{A b ) — 1 mod N 2 
a ~ N ‘ 

* If the input private key is the private key (p, q,p ', q'), computes 
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where W\ is computed as that in scheme BCP03, and 7r is the inverse 
of 2 p'q' mod TV. 

Compute /3 = C © H^a), if A = ( g 0 ) H(& ll/5) and B = (g 2 ) H{ ^ ) ■ (1 + 
aN) mod TV 2 both hold, then compute 


a = 


B/{A' -A?)- 1 mod TV' 2 
. N' 


m = C © H 2 {<j); 


otherwise, output reject and terminate. If A = (g' 0 ) H Oll m ) mod TV 12 
and B = (g[) H 'A\\ m ). (1+aN 1 ) mod TV' 2 both hold, output m; otherwise, 
output reject and terminate. 

Note that (H(-),N, go, g\,g 2 ) is the public key of the decryptor. 

Theorem 2.3.9 (CCA-O security). In the random oracle model, scheme Ssupre is CCA- 
O-secure under the assumptions that the DDH problem over Zj^ 2 is hard, and that the 
signature of knowledge is secure. 

Proof. . We show that if an algorithm A exists and can break the CCA-O security of 
Ssupre with probability e in time t, there is another algorithm B that uses A to solve the 
DDH problem over TP N2 , i.e., on DDH input (N, g, g u , g v , T), B decides if T = g uv 
or not. 

B interacts with A in a CCA-O game as follows (B simulates the challenger for A). 
In the following, we use starred letters ( A*, B*, C*, D*, c* , s* ) to refer to the challenge 
ciphertext corresponding to the target public key pk*. 

Hash Oracles: 

Oh'- One oracle Oh is corresponding to one hash function //(■ ) which is a part of 
user’s public key. As a result, there are many such oracles, and they are all con¬ 
structed in the following method. On input (<7j, mf), B first checks whether triple 
(at, nrii, af) is in Table Th■ If yes, B responds A with ap otherwise B chooses a 
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random number cm £ Z^t, responds A with a,;, and records rrii, cm) in Table 
I'll, where N is the corresponding safe-prime modulus and a part of user’s public 
key. 

OhT- On input 07 , B first checks whether pair ( 07 ,/?,) is in Table T H[ . If yes, B 
responds A with /%; otherwise, B chooses a random number Pi £ {0, l} Al , re¬ 
sponds A with fa, and records (cr,, Pi) in Table T H ,. 

Oh 2 - On input 07 , B first checks whether pair ( 07 , 7 $) is in Table XA 2 . If yes, B re¬ 
sponds A with 7 $; otherwise, 6 chooses a random number 7 * G {0, 1 }”, responds 
A with 7 j, and records ( 07 , 7 *) in Table TA 2 . 

On input (Ai,Di,gio,gi 2 ,Ei,Fi,Bi,Ci), B first checks whether tuple 
(Ai,Di,gio,gi 2 , Ei,Fi,Bi,Ci,Si) is in Table Tjj 2 - If yes, B responds A with 8 ,; 
otherwise, £> chooses a random number 6 t £ { 0 ,1} A2 , responds A with S l , and 
records (A*, D it 9 i 0 , gn, E it F t , B u C i: Si) in Table T H:i . 

Phase 1: 

O p k■ On input an index i, B decides whether phi is the target public key pk*. 

• If yes, B sets N = N, H(-) : {0,1}* —> Z-^ 2 , g 0 = g, gi = g u , and 
g 2 = g" ! , where w £ Z^z. And then, B records 

(■ H{-),N , r/o-</i. </2—, U . ) 


in Table I\.. 

• Otherwise, B runs KeyGen to get the public key (H(-), N, g 0 , gi, g 2 ), the 
private key ( 7 /, q'), and weak private key (a, b)\ and records 

(H(-), N, g 0 , gi,g 2 , a, b,p ', q') 


in Table I'k ■ 
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Finally, B returns (if (•), N, g 0 , g\, g 2 ) to A as pki. 

O sk : On input pk x = (H x (-),N x ,g xo ,g xl ,g X2 ), B checks whether pk x is in 
T k . If not, B terminates. Otherwise, if pk x is the guessed attacked public 
key, B reports failure and aborts; otherwise, B responds A with correspond¬ 
ing ( p' x , q' x ), and records pk x in Table T sk . 

O rk : On input (pk x ,pky), B checks whether pk x and pky are both in T k . If not, 
B terminates. Otherwise, B checks whether (pk x ,pky,rk x \ Y ,rk x \ Y ) * s ' n 
Table T rk , or (pk x ,pky, /3.y->y, r k x _^ Y , t ^x\y) * s i* 1 Table T urk , if it exists, 
B returns (rk Y (^ Y , rk x l^ Y ) t° A\ otherwise, 

• if pk x is in Table T sk or pk x is not the guessed attacked public key, B 
responds A with (rk x \ Y , rk^\y) •<— ReKeyGen(sA;.Y,pfc>-). and records 
(pk x ,pky, rk x \ Y , rk x \ Y ) in Table T rk \ 

• if pk x is the guessed attacked public key, and pky is not in Table T sk , B 
proceeds as follows. 

- Choose three random numbers /3 £ {0, l} Al , rk x \ Y £ & G Zjy. 

- Compute 

r.x^Y = Hy(&\\P), 

A = (gy 0 ) rx ^ Y mod ( Ny) 2 , 

B = (gy i) rx ^ Y • (1 + & Ny) mod (Ny) 2 , 

C = Hi(a)®$, 

where (H Y (-),Ny,gyo,gy 1 ,gy 2 ) =pky. 

- Set rk x \ Y = (A, B, C). 

- Return (rk x \ Y ,rk x \ Y ) t0 A. 
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- Record (pkx,pky, ft, rk^l\y, r ^x\y) i n Table T urk . 

If B successfully responds the decryption queries with the re-encrypted ci¬ 
phertexts that re-encrypted by the above re-encryption keys, these keys are 
indistinguishable from that in the real execution from the viewpoint of A, 
due to the security property of scheme BCP03 with Fujisaki-Okamoto con¬ 
version. 

• If pkx is the guessed attacked public key, and pky is in Table T sk , B reports 
failure and aborts. 

O re ■ On input (pkx ,pky , K), B checks whether pkx and pky are both in Table 
I).. If not, B terminates. Otherwise, B parses K = (A,B,C,D,c,s), and 
checks whether c = H 3 (A\\D\\g X o\\ 9 x 2 \\(gxo) s A c \\(g X 2 ) s D C \\(B\\C )) 1 where 
pkx = (Hx(-), Nx, gxo: 9 xi, 9 x 2 ), if not, B outputs reject and terminates; 
otherwise, B proceeds as follows. 

• If pkx is the guessed attacked public key, and pky is in Table T sk , B exe¬ 
cutes the following steps: 

1. Set two empty sets. Si and S' 2 . 

2. Find all elements (< 7 ,;, m l , a t ) in Table Th x such that A = 
(gx 0 )“’ mod (Nx) 2 , and put them into Set Si. If Si = 0, output 
reject and terminate. 

This step makes this oracle distinguishable from the real execution 
when the adversary can guess the correct value of Hx (crj| |mj) without 
querying Oh x - The probability of this event is qn x /\^( n x ) 2 \, where 
qn x is the number of queries to Oh x - 

3. For every (oi, m.i, af) in Set Si, find all elements in Table Th 2 such 
that <jj = Oi and put them (i.e., (£ 7 j,TOj,aj)||(< 7 j, 7 j)’s) into Set S 2 . If 
S 2 = 0 , output reject and terminate. 
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This step makes this oracle distinguishable from the real execution 
when the adversary can guess the correct value of H 2 (crj) without 
querying Oh 2 ■ The probability of this event is qH 2 /2 n , where qn 2 > s 
the number of queries to Oh 2 - 

4. Check if (a,, m*, a.;)||( ct,-, 7 ,-) is in Set S 2 , such that (gxi) ai • (1 + 
<JiNx) mod ( Nx ) 2 = B and 7 j ® m* = C. If it does not exist or 
more than one exist, output reject and terminate. 

5. Search (pkx,pky,$) in Table Tf r k, if not, choose a random number 
from {0, l} Al as $, and record ( pkx,pky , $) in Table Tf r k- 

6 . Choose a random number <7 £ Zx- 

7. Compute 

rx^y = Hy(a\\p), 

A = (gyo) rx ^ Y , 

B = {gyi) rx ^ Y ■ (1 + dNy) mod ( Ny ) 2 , 

C = H 1 {&)® /3x^y, 

where pky = (Hy (•), Ny, g Y0 , g Y1 , g Y2 ). 

8 . Set rk ( x\ Y = (A, B, C). 

9. Return (A, (g x i) ai ■ (g X o)~^,B, C, rk%\ Y ) to A. 

• Otherwise, B calls oracle O r k to get the re-encryption key rkx^,y* and 
returns ReEnc(rkx^y , K). 

Odec■ On input ( pkx, K), B checks whether pkx is in Table Tk, if not, B terminates. 
Otherwise, B proceeds as follows: 

• If pkx is not the guessed attacked public key, then skx is known to B, who 
responds A with Dec (skx, K). 
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• If pkx is the guessed attacked public key and K = (A, B. C, D, c, s ), B 
checks whether c = Hz(A\\D\\g xo \\g X 2\\{gxo) s A c \\(g X2 ) s D C \\(B\\C)), 
if not, B outputs reject and terminates; otherwise, B does: 

1. Set two empty sets S\ and S 2 . 

2. Find all elements (ct*, rrii, af) in Table Th x such that A = 
( 9xo) ai mod (TVjf) 2 , and put them into Set Si. If Si = 0, output 
reject and terminate. 

This step makes this oracle distinguishable from the real execution 
when the adversary can guess the correct value of H x {<T{ | |m,;j without 
querying Oh x ■ The probability of this event is qn x /\^( n x ) 2 I- 

3. For every (< 7 j, m,:, af) in Set Si, find all elements in Table Th 2 such 
that Oj = a i and put them (i.e., (cr;, to*, cti)| 7 j)’s) into Set S' 2 . If 
S 2 = 0, output reject and terminate. 

This step makes this oracle distinguishable from the real execution 
when the adversary can guess the correct value of H 2 (erf without 
querying Oh 2 • The probability of this event is qn 2 / 2". 

4. Check if (<Ji,mi,ati)\\(crj,'yj) is in Set S 2 , such that (gxi) ai • (1 + 
OiNx) mod ( Nx ) 2 = B and 7 j ® rrii = C. If none exists or more 
than one exist, output reject and terminate; otherwise, output m.i. 

• If pkx is the guessed attacked public key and K = (A. A', B, C. A, B. C), 
B searches (pk Y ,pk x ,ic ^★ 2 ,^ 3 ) in Table T urk , such that + 2 = 
(A,B,C). 

If it does not exist , B proceeds as follows: 

1. Set two empty sets Si and S 2 . 

2 . Find all elements rrii, ctj) in Table Th x such that A = 
( 9xo) ai mod (N x ) 2 . and put them into Set Si. If Si = 0, output 
reject and terminate. 
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This step makes this oracle distinguishable from the real execution 
when the adversary can guess the correct value of Hx (<t,; 11 mf) without 
querying Oh x ■ The probability of this event is qH x / \^(n x ) 2 \- 

3. For every ( Oi,rrii,ai ) in Set Si, find all elements in Table Th 1 such 
that o.j = ai and put them (i.e., (ay, to .;, a,)| | (oj, /3j)’s) into Set S -2 . If 
S 2 = 0 , output reject and terminate. 

This step makes this oracle distinguishable from the real execution 
when the adversary can guess the correct value of H i(cr,;) without 
querying Ohx- The probability of this event is qjj 1 /2 Xl , where qn 1 
is the number of queries to Oh % , 

4. Check if (cr.;, m*, aii)\\(<jj, (3j) is in Set S 2 , such that B = ( gxi) ai ■ 
(1 + (JiNx ) mod ( Nx ) 2 and j3j © m* = C. If none exists or more 
than one exist, output reject and terminate. 

5. Compute a = mod (n y ) 2 ) , TO = C ® H 2 {&). 

If A = (gYo) HY ^ m ' > mod ( Ny ) 2 , output m, where pky = 

( Hy (-), N Y ,g Y0 , 

g Y \ ■ <JY 2 ) is the corresponding delegator’s public key; otherwise, out¬ 
put reject and terminate. 

If it does exist , B checks A' = A* 3 . If not, output reject and terminate; 
otherwise, B proceeds as follows: 

1. Set two empty sets Si and S 2 . 

2. Find all elements (cr^m^aj) in Table Th y such that A = 
(g Y o) a; mod ( N Y ) 2 , and put them into Set Si. If Si = 0, output 
reject and terminate. 

This step makes this oracle distinguishable from the real execution 
when the adversary can guess the correct value of H Y (<Ji\\mi) without 
querying Oh y ■ The probability of this event is qn Y /|^(tv y ) 2 1> where 
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qn Y is the number of queries to Oh y . 

3. For every (cr^TOj, af) in Set Si, find all elements in Table Th 2 like 
<jj = (Ji and put them (i.e., (<7j, m,i, oti)\\((jj, 7 j)’s) into Set S 2 . If 
S 2 = 0 , output reject and terminate. 

This step makes this oracle distinguishable from the real execution 
when the adversary can guess the correct value of H 2 ( 0 " f) without 
querying Oh 2 - The probability of this event is qH 2 /2 n . 

4. Check if is in Set S 2 , such that (g Y i) ai ■ (1 + 

(JiNy) mod ( N Y ) 2 = B and jj © rn l = C. If none exists or more 
than one exist, output reject and terminate; otherwise, output rrij. 

Challenge: At some point, A outputs a challenge tuple (pk*, mo, mf). If pk* is not 
the public key B guessed in oracle O p k, B reports failure and aborts. Otherwise, B 
chooses random d £ { 0 , 1 }, a £ Zn and sets: 

A* = g v mod N 2 , B* = T(1 + m d N) mod N 2 , 

C* = H 2 (a) 0 m d , D* = (g v ) u ' mod N 2 . 

And then B chooses two random numbers c* € {0,1} Aa , s* € {0,..., 2 L ^ N ) +Aa — 1}, 
computes E* = (g) s A* c mod N 2 and F* = (g u ) s D* c mod N 2 , and checks 
whether {A *, D *, g u , g w , E *, F*, B*,C *,★) is in Table T H3 . If yes, B reports 
failure and aborts; otherwise, B outputs (A*, B*,C* , D*, c*, s*), and records 

(A*,D*,g u , g w ,E*, F*, B*,C*,c*) 


in Table 7©.,. 

Phase 2: 

Opk'- B responds as in Phase 1. 
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O s k : On input pki, if phi = pk*, or ( pk* ,pki ) is in Table T r k, then B terminates. 
Otherwise, B responds as in Phase 1. 

O r k'- On input ( pki, pkj ), if pki = pk*, and pkj is in Table T s k, B terminates. Other¬ 
wise, B responds as in Phase 1. 

O re : On input (pki,pkj, K), if (pki,I\) = ( pk*,K*) and pkj is in Table T s k, B 
terminates. Otherwise, B responds as in Phase 1, except when pki = pk* 
and ( A, B,C, D,c, s ) = (A*, B*,C*, D*, c*, s*), B should record the result 
(pkj, A!,C, D, A,C, D) in Table Td er , where the derivatives of the challenge 
ciphertext are recorded. 

Odec■ On input (pki,K), if (pki,K) = (pk*,K*), or (pki, K) is in T der , or 

K = KeEnc(O r k(pk*,pki), K*), then B terminates. Otherwise, B responds as 
in Phase 1. 

Guess: Finally, the adversary A outputs a guess d! £ {0,1}. If d = d ', then B outputs 
1 (i.e., DDH instance), otherwise, B outputs 0 (i.e., not a DDH instance). 

Firstly, we analyze the probability of that B does not output failure, which con¬ 
tains the following two events: 

1. B guesses the right attacked public key. 

2. The record (A*, D*, g u , g w ,E*,F*,B*,C*,+) is not in table T H:i before chal¬ 
lenge phase. 

Suppose A makes a total of q p k queries to public key generation oracle, q r k queries 
to re-encryption key generation orale, q de queries to decryption orale, qu queries to H 
hash function oracle, qn 1 queries to Il \ hash function oracle, qu 2 queries to H > hash 
function oracle, and qu : , queries to /7 :j hash function oracle. 

The probabilities of the above two events are l/q p k and 1 — (qn 3 + 1)/2 A2 , respec¬ 
tively. Therefore, the probability that B does not output failure during the simulation 



2.3. PROXY RE-ENCRYPTION 


71 


is (1 - ( qn 3 + l)/2 X2 )/q P k- 

Secondly, oracles O re and 0,i f:c are indistinguishable from the corresponding real 
executions with probabilities at least 

{ 1 T Qmax “t“ ( QmaxQmax ttH x \ \ \ 

\ (1 +qmax) 2 (1 +qmax) 2 V \%N mX I ) '■ 2^') 


f 1 + Qrn ax + (g max \ 
\ (1 "b Qmax / 


and 


Qmax 1 A gffx A q fl )V ^ 

\ 1 + 7maa: 1 + Qmax \ l^tVmx I / / \ 1 + 9rna:r / 

respectively, where r/ //x is the amount of queries to the same kind of oracle Oh, N m x 
is the largest number among users’ public key TV’s, |Zjv mX | is the size of Zpj mX , and 
q 2 = max(|^-, 

Finally, in the re-encryption oracle, we assume that the signature of knowledge is 
secure, hence, we should minus the probability of breaking the signature of knowledge, 

e 

As a result, B has an advantage that is at least 

(l — (QH 3 + l)/2* 2 ) • (l + qmax + ( Qmax) 2 ) q ' ( Qmax) qdB ^ 

Qpk ■ (1 + qmax) 2qr * +qde 

and its running time is at most 

t + 0(3q p k + (7 + qH)qrk + (5 + qH)qde)t e > 

where t e is the time of computing one exponentiation in a cyclic group of quadratic 
residues modulo. We here only consider the exponentiation computation. 

This completes the proof. □ 

Theorem 2.3.10 (CCA-R security). In the random oracle model, scheme .S'supre is CCA- 
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R-secure under the assumptions that the DDH problem over is hard, and that the 
signature of knowledge is secure. 

We can use a similar method in the proof of Theorem 2.3.9 to prove the above 
theorem. The main difference is that the public key of the target user is (N = N, go = 
9,9i = S w 002 = g u ) not (TV = N,g 0 = 9,9i = g u ,S 2 = g“). This change could 
help us to generate any re-encryption key from the target user to any other user. 

We leave this proof to the reader for practice. 

2.4 Notes 

In this chapter, we give a comprehensive introduction of security definitions of 
proxy re-cryptography. We also introduce one of our PRS schemes and one of PRE 
schemes, which are published at Indocrypt 2007 and PKC 2009, respectively. We refer 
to [11,193,252] and [9,10,130,194,195,249,255,283] for more PRS schemes and PRE 
schemes, respectively. 

There are some interesting problems in proxy re-cryptography still remaining open. 
For instance, 

• How to design proxy re-signature (re-encryption) with multi-usability, unidirec¬ 
tionality, and constant size. 

• How to design pairing-free proxy re-signature (re-encryption) with collusion re¬ 
sistance, multi-usability, bidirectionality, and constant size. 

• How to design generic constructions of PRE with some properties from the public 
key encryption with the specific properties, like the generic construction from ID- 
based (attribute-based or certificateless) encryption to ID-based (attribute-based 
or certificateless) PRE. 



Chapter 3 


Attribute-Based Cryptography 

3.1 Introduction 

With the development of communication networks, there is a trend for users to store 
their sensitive data on the Internet. To distribute a message to a specific set of users, 
a trivial method is to encrypt it under each user’s public key or identity in traditional 
cryptosystem [34, 37, 87, 89,90], As expected, ciphertext size and computational cost 
of encryption/decryption algorithms are linear with the number of receivers. Therefore, 
it is less attractive or even intolerable when the number of receivers is large. Indeed, 
in most cases, the qualified receivers share some common attributes, such as working 
location, gender, and age range. 

For this reason, Sahai and Waters took the first step to solve the problem and in¬ 
troduced the concept of attribute-based encryption. In an attribute-based encryption 
mechanism (ABE), user’s keys and ciphertexts are labeled with sets of descriptive at¬ 
tributes and only when the attributes of the ciphertext match those of the user’s key, the 
corresponding ciphertext can be decrypted. The proposed scheme allows for decryption 
when a threshold number k is less than the size of the overlap between a ciphertext 
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and a private key. The attribute-based cryptosystems that each ciphertext is labeled 
by the encryptor with a set of descriptive attributes and each private key is associated 
with an access structure that specifies the types of ciphertexts the key can decrypt, are 
named key-policy attribute-based encryption (KPABE). While in a ciphertext-policy 
attribute-based encryption scheme (CPABE), each user is identified by an attribute set 
and receives the private keys corresponding to those attributes from the authority. The 
sender who aims to distribute a message will construct an access policy associated to 
the ciphertexts by connecting the attributes with OR, AND, and threshold gates. 

The remainder of this chapter is organized as follows. Some universal definitions 
are introduced in Section 3.2. Then, a bounded ciphertext-policy encryption scheme, a 
multi-authority encryption scheme, an interval encryption scheme, and a fuzzy identity- 
based signature scheme are proposed in Section 3.3, 3.4, 3.5, and 3.6, respectively. 
Finally, a brief conclusion is given and some future works are suggested in Section 3.7. 

3.2 Universal Definitions 

Definition 3.2.1 (Access Structure [20]). Let {Pi, P 2 ,..., P n } be a set of parties. A 
collection A C 2^ Pl ’ P2, ' ,Pn ^ is monotone, for V B,C, if B £ A and B C C, then 
C G A. An access structure (monotone access structure) is a collection (monotone col¬ 
lection) A of nonempty subsets of {p, P 2 , ..., P n }, i.e., A C 2^ Pl,P2, '-’ Pn ^ \ {0}. The 
sets in A are called the authorized sets, and the sets not in A are called the unauthorized 
sets. 

In ABE, the access structure A contains the authorized sets of attributes. It is 
shown [20] that any monotone access structure can be realized by a linear secret sharing 
scheme. 

Definition 3.2.2 (Linear Secret-Sharing Schemes (LSSS) [291]). A secret sharing 
scheme II over a set of parties P is called linear (over Z p ) if 
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1. The shares for each party form a vector over Z p . 

2. There exists a matrix A called the share-generating matrix for II. The matrix A 
has l rows and n columns. For i = 1,..., l, the i th row of A is labeled by a party 
p{i){p is a function from {1,..., 1} to P). When we consider the column vector 
•u = (s, r 2 ,..., r n ), where s £ Z p is the secret to be shared and r 2 ,.. •, r n £ Z p 
are randomly chosen, Av is the vector of l shares of the secret s according to II. 
The share ( Av)i belongs to party p{i). 

It is shown that each linear secret-sharing scheme according to the above definition 
also enjoys the linear reconstruction property [20], defined as follows: Suppose that 
II is an LSSS for access structure A. Let S € Abe an authorized set, and let I C 
{1, 2be defined as I = {i : p(i) £ S'}. There exist constants {u>i £ Z p } ie j 
such that if {A;} are valid shares of any secret s according to II, then cc,;A,; = 
s. Furthermore, these constants { oj, } can be found in time polynomial to the size of 
the share-generating matrix A. For any unauthorized set, no such constants exist. In 
expressive CPABE systems, LSSS matrix (A, p) is always used to express an access 
policy associated to a ciphertext. 

3.3 Bounded Ciphertext-Policy Encryption Schemes 

The concept of attribute-based encryption (ABE) was introduced by Sahai and Wa¬ 
ters [241], In their scheme, the secret key is associated with an attribute set, and the 
ciphertext is also associated with another set of attributes. The decryption is only 
successful while these two sets overlap more than a preset threshold. Later, Goyal 
el al. [129] further classified ABE into two categories: ciphertext-policy (CP) ABE and 
key-policy (KP) ABE. While KPABE (the user’s secret key represents an access policy 
of attributes) is well developed by the subsequent research [129,223], how to design an 
efficient and secure CPABE (the ciphertext represents an access policy chosen by the 
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sender) remains open [27,84,127], 

The first CPABE scheme was proposed by Bethencourt et al. [27] It allows users to 
encrypt a message under an expression consisting of threshold gates between attributes 
(called a fine-grained access structure). However, it only has a security argument in the 
generic group model and the random oracle model. Later, Cheung and Newport [84] 
gave a provably secure CPABE in the standard model. Their scheme supports an access 
policy with ’’AND” gate on positive and negative attributes but can not resist collusion 
attack while extending to the threshold gate. Recently, a bounded CPABE scheme, 
supporting fine-grained access policy, was proposed in [127]. 

Waters [291] presented several CPABE schemes. The construction of the first 
scheme is very elegant, and the security can be reduced to decisional g-Bilinear Diffie- 
Hellman-Exponent(BDHE) problem. The ciphertext size only linearly increases with 
the number of the attributes presented in the access structure. Another scheme, based on 
DBDH assumption, is less efficient, since the ciphertext size is restricted by the length 
and the width of the matrix, which is dependent on the size of the access structure. 

Overview of Schemes 

Ciphertext-policy attribute-based encryption (CPABE) cryptosystems are widely 
used to realize the sensitive user data sharing and access control on the Internet. For 
example,“(AGE>25) AND (CS)” represents the restrictions for a qualified user who at 
least holds the secret keys representing age more than 25 and the ownership of a com¬ 
puter science degree; three attributes (DB.OS.DM) connecting by a “two out of three 
threshold gate” restrict the decryption only to be successful when a user at least regis¬ 
ters two courses from the list (Database, Operating System, and Discrete Mathematics). 
As in Figure 3.1, a sender will store the ciphertext encrypted under the access policy 
in the server Si. The users U 2 and (A. have the access right to the message since they 
both have two attributes from the attribute set, while U\ does not, since he/she only has 
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one attribute. This is an efficient and convenient approach for a user to broadcast his 
message to the others in practice. Therefore, we mainly focus on developing a more 
efficient CPABE scheme. 



Figure 3.1: A sample for CPABE system 

Considering the security proof of an ABE scheme, more flexible access policy 
adopted on the sender’s side makes the simulation more difficult. Thus, restricting the 
size of the access policy is necessary for designing a CPABE which reduces the security 
to an assumption in number theory. Goyal et al. introduced a new bounded CPABE 
(BCPABE), in which the encryption access tree must be limited by two properties: the 
maximum height and the maximum cardinality of non-leaf nodes. For example, the 
access tree (to the left of Figure 3.2) with height 2 has the maximum cardinality 3. 

In [127], a bounded CPABE scheme, secure in the standard model, was proposed 
to support a bounded size access tree with threshold gates as its non-leaf nodes. At the 
beginning, the system manager pre-sets two bounds (d, c) and a unique (d, c)-universal 
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access tree T u (Figure 3.3). Later, the system manager will publish the public parameter 
and generate users’ secret keys according to this universal access tree. If a sender wants 
to distribute his message, it requires him to first convert a (d, c)-bounded access tree 
T (the left in Figure 3.2) into its (d, c)-normal form 1 T n (the right in Figure 3.2), 
and then to complete the encryption procedure according to a map constructed from a 
(d, c)-normal form access tree T n to the (d, c)-universal access tree T u - 



Figure 3.2: A conversion from (d, c)-bounded access tree T to its (d, c)-normal form 

T n 


In the (d, c)-universal access tree T u , only leaf nodes of depth d are associated with 
real attributes. This setting leads to the fact that users have to construct a map from 
T n to T u in order to ensure that the leaf nodes in T n share same real attributes with 
their corresponding leaf nodes in T u - However, this conversion of normal form actually 
expands the original tree T with a great many non-leaf nodes which leads to a boost on 
computational cost. We conclude that the expanded size is mainly due to two factors 
called exterior height factor and interior depth factor (refer to Figure 3.2). Exterior 
height factor correlates with the height h of a (d, c)-bounded access tree T. d — h 
nodes must be added in order to expand the height of its normal form to d. Goyal el 

1 The definition of normal form can be looked up in Section 2.4 
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al. provide a method to eliminate this factor by constructing multiple parallel schemes 
with different-sized universal access trees, though it is very inefficient. Interior depth 
factor is the relative depth between leaf nodes in T. Non-leaf nodes must be added 
in order to make the leaf nodes all at the same depth (which is the deepest level). In 
order to eliminate both factors, we neglect the interim step, i.e., converting the access 
tree to normal form, and directly map the (d. c)-bounded access tree selected by the 
sender to the (d, c)-universal tree. In other words, the redundant steps which pull all 
the leaf nodes to the deepest level by adding non-leaf nodes are skipped and thus the 
computational cost is reduced. 



Figure 3.3: A id. c)-universal access tree T u in GJPS 

As mentioned in GJPS, to construct a more efficient BCPABE scheme based on 
some assumptions in number theory is an important open problem. We will provide an 
affirmative answer to this problem. 

This section will present a bounded CPABE scheme BCPi which is more efficient 
than the previous works in GJPS. The security of BCPi can be reduced to the Decisional 
Bilinear Diffie-Hellman assumption in the standard model. Different from GJPS, the 
computational cost of encryption and decryption in our scheme are largely reduced 
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since we skip redundant steps, meanwhile the ciphertext size is shorter. Nevertheless, 
as a tradeoff, we demonstrate that the spacial cost, like the size of public parameter and 
secret keys, increases but be less than twice of the counterpart of GJPS. Furthermore, 
we propose a provably secure BCPABE scheme BCP2 in the standard model under a 
chosen ciphertext secure notion by adopting a one-time signature technique. There are 
two approaches which could be used for extending BCPi to BCP2- These two methods 
make a tradeoff between ciphertext size and the size of public/secret parameters. 

For illustration, we take a concrete example to explain the primitive idea used to 
reduce the computational cost of encryption/decryption algorithms. 

Consider a BCPABE scheme setup with bounds (d, c) 2 and an encryption under a 
(d, c)-bounded access tree T shown in the left of Figure 3.2. The threshold values of 
nodes 1 and 2 are both set to be 2, and nodes A, B. C, D represent four different real 
attributes. Now, we will show how the encryption algorithm of GJPS differs from ours. 

In GJPS, to encrypt under T, a user will first convert T to its normal form access 
tree T n (shown in the right of Figure 3.2). The threshold values of nodes 3, 4, 5, • • •, 
d + 2 in T n are all set to be 1. Assume the computational cost of a single node is T, the 
total cost is (4+c—2+c— 2+dx (c—1))-T where exterior factor takes (d— 2)-(c—l)-T 
and interior factor takes 2 • (c — 1) • T. Likewise, if a user has a secret key associated 
with attributes (C , D), he will at least expend (1 + 2 + d — 2)xc=(d+l)xc paring 
computation. It is obvious that the larger the two initial parameters (d. : c) are set to be, 
the more cost a user will spend on encryption and decryption. 

In contrast, our scheme defines a map from T to T u and the total cost on encryption 
takes (4 + c — 2 + c — 2) • T. The user with attributes (C, D) will expend only c paring 
computation. Therefore, our scheme saves d x (c — 1) • T on encryption and at least 
dc times paring computation on decryption. The cost is even irrelevant with the initial 
parameter d. The comparison of general case can be found in Table 3.1 in the following 

2 d > 2,c > 3 
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Bounded ciphertext policy ABE (ICALP 2008) 



Our ciphertext policy ABE 


• minium wmmmm 


Figure 3.4: The comparison between GJPS’s scheme in ICALP 2008 and our scheme 


subsections. Figure 3.4 gives an overall comparison between GJPS’s scheme in ICALP 
2008 and our scheme. 

3.3.1 Definitions 

Decisional Bilinear Diffie-Hellman Problem. An algorithm S is an e'-solvcr of 
the DBDH problem if it distinguishes with probability at least 1/2 + s' between the two 
following probability distributions: 

Hbdh = (g i g a , g b , g c , e(g, g) abc ), where a, b , c are chosen randomly in Z p , 

Hrand = (g, < 7 °, g b , g c , Z ), where a, b , c are chosen randomly in Z p and Z is chosen 
randomly in (Jr ■ 

Definition 3.3.1. The DBDH assumption holds in G and Gt if there is no probabilistic 
polynomial-time e'-solvcr of the DBDH problem for non-negligible value s'. 

One-Time Signature. A one-time signature scheme ots [36,63] consists of three 
algorithms (ots.KGen, ots. Sig, ots. Ver). ots. KGen(l fc ) —» ( sk,vk) is the key 
generation algorithm, which outputs a secret key sk and a public verification key vk. 
ots.Sig (sk,m) —► er is the sign algorithm which takes the secret key sk and a mes¬ 
sage m as its input, and outputs a signature a. Finally, the verification algorithm 
ots.Ver (a,m,vk) —► 0 or 1 takes the signature a, a message m, and a public veri- 
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fication key vk as its input, and outputs 1 if the signature is valid; 0 otherwise. 

Concerning the security issue, an adversary first receives a public verification key vk 
generated from ots.KGen(l fc ). He then makes at most one signature query for mes¬ 
sage to of his choice, and obtains as an answer the valid signature ots.Sig(sA:, m) —> a. 
Finally, he outputs a pair ( m',a'). The adversary succeeds if ( m',a') ^ (to, cr) and 
ots.Ver (a',m',vk) —► 1 . 

A one-time signature scheme ot s is e ots -secure if every polynomial-time adversary 
against ots has a success probability bounded by e ots . 

Several definitions and notions are given below. 

Attribute Set: n real attributes, indexed from 1 to n. Any attribute set 7 C 
{1, • ■ ■ , n}. c — 1 dummy attributes, indexed from n + 1 to n + c— 1. 

Access Tree: Let T represent an access tree with its root r. Each non-leaf node x 
can be seen as a threshold gate with threshold value k x . If x has c x child nodes, it is 
required that 0 < k x < c x . If x is a leaf node of the access tree, it is associated with a 
single attribute, denoted as att(a:). 

We fix the root of an access tree to be at depth 0 . Let £7- denote the set of all the 
non-leaf nodes, and @7- denote all the leaf nodes. Let p(x) denote the parent of node x. 
For each non-leaf node x, we define an order among x’s child nodes, that is, every child 
node z is numbered from 1 to c x . index (A) returns such a number associated to node 2. 
For simplicity, if 2 is a leaf node, we let att(2) = index(2). 

Satisfying an Access Tree: Let T be an access tree with root r. 7 ~ x is a subtree 
rooted at a node x in T. If an attribute set 7 satisfies the access tree T x , we denote 
T~ x (7) = 1 . If a: is a non-leaf node, evaluate T z {t) f° r all children 2 of node x. 71 -(7) 
returns 1 if and only if at least k x children of x return 1. If .7; is a leaf node, then 
T x {t) = 1 iff att(a;) £ 7. If an access tree rooted at a; is a 7-satisfied tree, then we call 
the node a: as a 7-satisfied node. Suppose T is a 7-satisfied tree, we call a subtree of T 
with root r as a 7-satisfied non-redundant tree, if the cardinality of each non-leaf node 
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x is equal to x’s threshold value in T and every node is a qualified node. Let T denote 
the 7-satisfied nonredundant tree with minimum non-leaf nodes. 3 

Universal Access Tree: Here, we describe a universal access tree (Figure 3 . 5 ) with 
two input parameters d and c. First, we define a complete c-ary tree T' of height d— 1 , 
where each node has a threshold value c. Next, c — 1 new leaf nodes named “dummy 
nodes” representing c — 1 dummy attributes and n new leaf nodes named “real nodes” 
representing n real attributes are attached to each node in T'■ The resultant tree T u is 
called a (d, c)-universal access tree. Let each node x except root has an index related 
with its parent node and att(a’) = index(a:) if £ is a leaf node of a universal access tree. 
Here, for all the child nodes of one non-leaf node x in T, real nodes and dummy nodes 
will take indexes from {1, • • • , n} and {n + 1, • • • ,n + c — 1}, respectively, and other 
non-leaf nodes will take indexes from {n + c, • • • , n + 2 c — 1 }. 



Figure 3 . 5 : Modified universal tree 


Bounded Access Tree: We call that T a (d. c)-bounded access tree if its height 
d' < d and each non-leaf node x in T has at most c non-leaf child nodes. 

3 The decryption cost depends on the non-leaf nodes in the 7-satisfied nonredundant tree the decryptor 
chooses. 
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Normal Form: Consider a (d, c)-bounded access tree T n . T n exhibits the (d, c)- 
normal form if (a) its height d' = d, and ( b ) all the leaf nodes are at depth d. Any 
(d. c) -bounded access tree T can be converted to its normal form without modifying its 
satisfying logic. (This is a special technique used in GJPS.) 

Map between Access Trees: The map, constructed from a (d, c)-bounded access 
tree T to (d, c)-universal access tree T u , is defined in the following way in a top-down 
manner. First, the root of T is mapped to the root of T u - Now, suppose that x' in T is 
mapped to x in T u - Let z[, ■ ■ ■ ,z' c , be the child nodes of x'. For i £ { 1 , • • • ,c x >}, if 
z[ is a leaf node att(z') £ AT, set x’s child node z like 2 = map(2,') where index(z) = 
index(2'); if z\ is a non-leaf node, set x’s child node 2 such that 2 = map(2,') where 
index(2) = index(2') + n + c — 1 . This procedure is performed recursively, until each 
node in T is mapped to a corresponding node in T„. Notice that in a (d, c)-boundcd 
access tree, each non-leaf node x in T has at most c non-leaf child nodes, and this 
recursive procedure can be terminable. 

3.3.2 Security Models 

Bounded Ciphertext-policy Encryption Model. 

Definition 3 . 3 . 2 . A BCPABE scheme includes a tuple of probabilistic polynomial-time 
algorithms as follows: 

• Setup(d, c) —» (PP,MK): On input an implicit security parameter l fc and two 
system parameters (d, c), the setup algorithm Setup outputs a public parameter 
PP and a master key MK. 

• KGen( 7 , MK) —> ( D): On input an attribute set 7 and a master key MK, the key 
generation algorithm KGen outputs a secret key D. 

• Enc(PP, T, m) —> (E): On input the public parameter PP, a (d, c)-bounded ac¬ 
cess tree T, and a message m , the encryption algorithm Enc outputs a ciphertext 
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E. 

• Dec (D, E ) —> (to): On input a secret key D and a ciphertext E, if the attribute 
set in D satisfies the access tree in E, the decryption algorithm Dec decrypts the 
ciphertext E and returns a message to; otherwise, it outputs ”_L”. 

Selective-Tree Security Model for BCPABE. This model was first introduced by 
GJPS. The analogous selective-ID model can be found in [34,37,59,84], A BCPABE 
scheme is secure in the selective-tree CPA model if no probabilistic polynomial-time 
adversary A has a non-negligible advantage in winning the following game. 

Init A chooses an access tree T* that he wishes to be challenged upon. The chal¬ 
lenger runs Setup algorithm and gives A the resulting public parameter PP. It keeps the 
corresponding master key MK. 

Phase 1 A issues queries for secret keys related with many attribute sets where 
7 j does not satisfy the access tree T* for all j. 

Challenge Once A decides that Phase 1 is over, it outputs two messages of same 
length, mg and mu from the message space. The challenger chooses /.i £ {0, 1} at 
random and encrypts ?n M with T* . Then, the ciphertext C* is given to A. 

Phase 2 The same as Phase 1. 

Guess A outputs a guess // £ {0,1} and wins the game if \il = /.i. 

We define AY advantage in this game as |Pr[// = /j] — ||. The selective-tree CPA 
model can be extended to handle chosen-ciphertext attacks by allowing for decryption 
queries in Phases 1 and 2, denoted as selective-tree CCA model. 

3.3.3 Basic BCPABE Scheme BCPi 

We now proceed with the formal description of our first scheme BCPi. 

Setup: (d. c) This algorithm takes two parameters (d. c ) as its input. Define a real at¬ 
tribute setU = {1, • • • , n} and a dummy attribute set U* = {n+1, • • • , n+c—1}. Next, 
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we define a (d, c)-universal access tree T u as explained in Section 2.4. (d, c,U ,U* ,T U ) 
are all used in the following algorithms. 

Now, the algorithm generates the public parameter for this scheme. For each real 
attribute j £ U , randomly choose a set of |£tJ numbers {tj tX } x ^s Tu from Z p . Fur¬ 
ther, for each dummy attribute j £ U *, randomly choose a set of Yj- u numbers 
{t* x } xe j: Tii from Z p . Finally, randomly choose y £ Z p . The public parameter 

PP = (Y = e(g,g)y,{T j>x = g’-\ j( u .., s r J- The 

master key MK = {y, {t jtX } jeU ,xe^ Tu > j&U£xeY. Tu ) ■ 

KGen( 7 , MK): This algorithm takes an attribute set 7 CM and the master key MK 
as its input, then it outputs a secret key D which can be used for decrypting a ciphertext 
encrypted under a (d, c)-bounded access tree T iff T("f) = 1. 

Now, the algorithm generates the secret key. For each user, choose a random polyno¬ 
mial q x of degree c— 1 for each non-leaf node x in the (d. c)-universal access tree. These 
polynomials are chosen in a top-down manner, satisfying ^(O) = Qp(x) (index(a:)) and 
g r (0) = y. Once the polynomials have been fixed, it outputs the following secret key 

qx U) 

D = ili { D j,x = g }je 7 ,*€E Tu , {Dj, x = 9 tj ’ x }jeu*,xev Tu )- 

Enc(m, PP, T): This algorithm takes a message m, the public parameter PP, and a 
(d, c) -bounded access tree T as its input. 

Now, to encrypt the message to with the access tree T, the algorithm first sets a 
map from T to T u using the method mentioned in Section 2.4. Then, for each non¬ 
leaf node x £ T, it chooses an arbitrary (c — k x )-sized set w x A of dummy child nodes 
of x' in T u , x' = map(a:). Following this, let f(j,x) = 1 if the node x in T has a 
child node associated with real attribute j; f(j,x) = 0 otherwise. Then, it chooses 
a random value s £ Z p and outputs the ciphertext E = (T, E' = to • Y s , {Ej X = 

4 Without loss of generality, w x = (n + 1, ■ ■ ■ , n + c — k x } . 
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1’ { E j.x E j,map(x) 

I)ec( E, D): This algorithm takes a ciphertext E and a secret key D as its input. 
If the attribute set 7 associated with D satisfies the access tree T in E, the algorithm 
proceeds as follows; otherwise, output _L. 

A recursive algorithm DccryptNodef/s. D, x) takes the ciphertext E, the secret key 
D, and a satisfied non-leaf node x in T as its input and outputs a group element of (It 
or _L. For each x’s child node z, 

• z is a real node, let j = att(z). Then, we have 
F x j = DecryptNode(£ ; , D, x) 

j e{D jimap ( x ),E jtX ) = e(g, ^swpwCt), if j e 7 ; 

_L, otherwise. 

• z is a dummy node, j = att( 2 ) £ w x . Then we have: 

F X j = DecryptNode(S, D, x) 

= < D lm a p( x v E lx) = e(g,g) s ^MU) y 

From the above procedure, for each non-leaf node x in T, if 7 ^( 7 ) = 1, we have 
at least k x + c — k x = c different points F x / to compute e(g,g) sqia * p(*)(°) using La¬ 
grange interpolation. By recursively executing such procedure in a bottom-up manner, 
and finally, it obtains E" = e(g, g) sq xO) _ e(c/, where r is the root of T. The 
decryption algorithm outputs m = E'/E". 

3.3.4 Security Proof of BCP 1 

Theorem 3.3.3. If the DBDH assumption holds in ( G,Gt ), then scheme BCPi is 
selective-tree CPA secure in the standard model. 

Proof. Suppose a polynomial-time adversary A exists that can attack BCPi in the 
selective-tree CPA model with non-negligible advantage e. We construct a simulator 
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S that can distinguish the DBDH tuple from a random tuple with non-negligible advan¬ 
tage §. 

We first let the challenger set the groups G and Gt with an efficient bilinear map e 
and a generator g. The challenger flips a fair binary coin v, outside of S ’s view. If v 1, 
the challenger sets ( g , A , B , C, Z) G DmC, otherwise it sets ( g, A, B, C, Z) G D ran d- 

Init The simulator S runs A. A chooses a challenge id. c)-bounded access tree T* . 
The simulator S sets Y = e{A 1 B) = e(g,g) ab . Then, S generates a (d, c) -universal 
access tree T u and a map from T* to T„ . Randomly choose 


from Z p . 

For j £U,x G £77 > 


T — 
- L j,x ~ 


g ri ’ x , if a; = nmp(x'),x' G S T *,f(j,x') = 1; 

B r i- J: , otherwise. 


For j G U* ,x G 


rjn* 


g r j , if j G w x ',x = map(a: , ),a: , G Sr*i 

B r i otherwise. 


Phase 1 A adaptively makes query for a secret key related to an attribute set 7 such 
that T* ( 7 ) = 0. To generate the secret key, S needs to assign a polynomial q x for every 
non-leaf node in T and output a piece of secret key according to each non-leaf node. 

With an attribute set 7 as input, for any node x G T u , we call a node x: an unsatis¬ 
fied node iff there exists an unsatisfied node x' in T* such that map (a/) = x\ a satisfied 
node iff there exists a satisfied node xd in T* such that map^') = x\ a non-mapped 
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node iff there exists no node x' in T* so that map(a/) = x. We define the following 
three procedures: PolyUnsat, PolySat, and PolyNotCare. 


Dj, x — 


D* = 

J,x 


For j £ 7 , 

bq x (j) Qx ( 3 ) 

g r 3,* = B r 3’ x , if f(j, x') = 1 

bqx(j) 1 

g br i,* = (g Qx otherwise. 

For j € U*, 

bq x (j) qx(j) 

g r t* =B r t * if j£Ux'\ 

bq x (j) 1 

g br 3^ = (gfeO )) r *’ x , otherwise. 

Then, for each non-leaf child node z of x in 7~ u , 

If z is a non-mapped node, 

PolyNotCare(T z , 7 , ^(^dex^))). 

If z is a satisfied node, 

PolySat( 7 ;, 7 , g ir (index(z))); 

If z is an unsatisfied node, 

PolyUnsat(7;, 7 , g q * ( index (*»). 


Figure 3.6: PolyUnsat( 7 i, 7 , 


PolyUnsat(7i, 7 , g Xx ) for an unsatisfied node x £ £ 7 - is defined as follows: 

This procedure generates a polynomial q x for an unsatisfied node x. We have an 
unsatisfied node x' such that mapf^') = x. 7 does not satisfy this access tree T*,, 
denoted as T x , ( 7 ) = 0, where T*i is a subtree of T*. X x is an integer from Z. p . The 
unsatisfied root node x' has at most k x > — 1 satisfied child node. Thus, it could implicitly 
sets q x (0) = X x , and chooses c— 1 other points at random to fix q x completely, including 

• c — k x ' points as q x (j) for the dummy nodes of x, where j £ w x >; 

• At most k x i — 1 points as q x (index (V)) if z' is a satisfied leaf child node of x' or 
^.(indextV) + n + c — 1 ) where z' is a satisfied non-leaf child node of x'. 

It executes the following steps in Figure 3.6. 


PolySat(7I., 7 , A^) for a satisfied node x £ £ 7 - is defined as follows: 
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This procedure generates a polynomial q x for a satisfied node x. We have a satisfied 
node x' such that map(a; / ) = x. X x is an integer from Z p . It sets < 37 ( 0 ) = X x , and 
chooses c — 1 other points at random to completely fix q x . Thus, for each j G U UU* U 
{n + c, • • • , n + 2 c — 1 }, we can obtain q x (j). 

It executes the following steps in Figure 3.7. 


For j £ 7 , 

f 

bqx ( 3 ) 

QxU) 


Dj,x = | 

1 7 

r j,x 

= B , 

if 

1 

bq x {j) 

9x(j) 


For j £ U*, 

l » 


= 7 ^ , 

otherwise 

f 

bq x (j ) 

QxU) 


D* = I 

J,X ] 

1 9 

j,x 

bq x (j ) 

= B , 

9x0) 

if j £ u> x f 

1 

l 7 

br j, x 

= 9 r *’ x , 

otherwise 


Then, for each non-leaf child node z of x in 77,, 
If z is a non-mapped node, 

PolyNotCare(77,, 7 , 


If 3 is a satisfied node, 

PolySat(77, 7, Q7 (indexO))); 
If 3 is an unsatisfied node, 

PolyUnsat( 7 ;, 7 ,g^ (index(z)) ). 


Figure 3.7: PolySat(777, 7 , A x ) 


PolyNotCare(77;, 7, !J X:r ) for a non-mapped node x £ £ 7 - is defined as follows: 

This procedure generates a polynomial q x for a non-mapped node x. It implicitly 
sets 137 ( 0 ) = X x , and chooses c— 1 other points at random to fix q x implicitly . Thus, for 
j £ U CIA* U {n + c, ■ ■ ■ , n + 2c— 1}, we could obtain g q AP. It outputs the following 
secret keys: 


bq x (j ) 1 


bq x ( 3 ) 1 

,{Dl x =g br U , (g'iAj)yU } jLU . 


Jj€ 7 ’ j,x 

Then, it calls PolyNotCare(77, 7 , g 9 x(mdex(z))) for each non-leaf child node z of x 


in 77,, 


To give a secret key for an attribute set 7 , S first runs PolyUnsat(77- = 77 7 , -4). 
Notice that we implicitly set y = ab by Y = e(A,B) = e(g,g) v . The secret key 
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corresponding to each non-leaf node is recursively given by the above three procedures. 
Finally, it outputs 


D — (7i {Dj,x}j£'Y,xe'£T u > ) 

Therefore, S can answer each secret key query with an attribute set 7 , where T* ( 7 ) = 0. 
The distribution of these secret keys are identical to those in the real environment. 

Challenge The adversary A will submit two challenge messages mo and rtii to S. 
Then, S chooses // £ {0,1} at random, and returns an encryption of m /4 under the 
challenge access tree T* . The challenge ciphertext E is formed as: 

(T*,E' = ■ Z, {Ej X = C r ^apW} i6UjJ6Sr , j/(jij)=1) 

{Ej,x = 

If ( g, A, B , C, Z ) £ Dbdh and we let s = c, we have F s = e(g , g) abc and 

Ej x = (7 r J. ma p (») = (g r j, ma P(30 E* x = (7 r j-nia p(aj) = QjT map(a;)^ s _ 

Therefore, the ciphertext is a valid random encryption of message m ;4 . 

Otherwise, if ( 3 , A, f?, C, Z) £ V ran d , we have £7 = m^ ■ Z. Since Z is randomly 
chosen from Gt , E' will be a random element of Gr from the adversary’s view and the 
ciphertext doesn’t contain any information about m /4 . 

Phase 2 The simulator S acts exactly as it did in Phase 1. 

Guess S outputs v' = 1 to indicate that it was given a tuple from Di„ih if A gives a 
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correct guess \j! = \i\ otherwise output v' = 0 to indicate that it was given a tuple from 

Hran.d . 

Let us compute the success probability of S: 

In the case of v = 0, the adversary gains no information about //. Therefore, we 
have Pr[/r ^ ji'\v = 0] = Since the simulator guesses v’ = 0 when /j, ^ jj !, we have 
Pr[i/ = v\v = 0] = Pr[i/ = 0|i/ = 0] = 

In the case of u = 1, the adversary gets a valid ciphertext of m ; ,. By definition, the 
adversary has probability e to guess the correct \Y , and thus Pr[/it = fi' |i/ = 1] = | + e. 
Since the simulator guesses i/ = 1 when n = ji', we have Pr[z/ = i/|i/ = 1] = Pr[^' = 
l|z/ = 1] = 1 + e. 

The overall advantage of the simulator to output a correct i/ = v is Pr[i/ = i/] — \ = 
Pr[z/ = v', v — 0] + Pr[zv = v',v = 1] — | = |- | + |-(|+e) — | = | □ 

3.3.5 Extended BCPABE Scheme BCP 2 

Now, by using one-time signature technique, we present an extended scheme BCP 2 
achieving chosen ciphertext security. 

The selective-tree CCA model was introduced in Section 3.3.2 and the similar secu¬ 
rity model can be found in [84], 

We assume that exsiting BCPABE scheme BCPi is secure in the selective-tree CPA 
model as presented in Section 3.3.2, including four algorithms 

(BCP 1 .Setup, BCP 1 KGen, BCP 1 .Enc, BCP 1 .Dec) 

and a secure one-time signature ots, including three algorithms 


(ots.KGen, ots.Sig, ots.Ver). 
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Assume that the verification key vk from ots is a bit string of length l, and we 
write vki for the i- th bit in vk. Let C denote {1, 2, • • • ,1}. BCP 2 is constructed based 
on BCPi and ots including the following algorithms: 

Setu [)(d. c): This algorithm takes two system parameters (d. c) as its input. Then, it 
calls BCP-| .Setup(d, c) to generate BCPi’s public parameter PP] and master key MK]. 
In addition, it randomly chooses a set ... 2 n from Z p and defines T[ = (/>. 

Now, it outputs the public parameter PP = (PP], {27}j£{i,... , 2 ;}) and keeps the master 

key MK=(MK 1 ,{f'}t e{1 ,..., 2 ;}}. 

KGen( 7 , MK): This algorithm takes an attribute set 7 and the master key MK as its 
input. Then, it randomly chooses r' from Z p and calls BCP 1 .KGen( 7 , MKi) to generate 
a user’s secret key Di by using r' instead of y in MKi (i.e., <7 r (0) = r'). For every* £ C, 
let Di o = g '5 and D, -\ = g tl + i , where {? 7 }; 6 £ are randomly chosen from Z p . Define 
r = r' + Y^iec O a «dlet D = g v ~ r . Finally, it outputs D = {D lt {D ifi , A,i}*e£, D). 

Enc( m, PP, T): This algorithm takes a message to, the public parameter PP, and a 
(d, c)-bounded access tree T as its input. 

It first calls BCPi.Enc(?n, PPi, T) and obtains a partial ciphertext E\. Then, a 
key pair ( sk,vk ) is obtained by running ots.KGen. For each i £ C, it sets E[ = 
T/ s if vki = 0; E' t = otherwise. Let E = g s . 5 It runs ots.Sig with input 
(■ sk , (Ei, E) and obtains a. 

The output ciphertext E = (Ei, {E'^i^c, E, a, vk). 

Dec (D, E): This algorithm takes a secret key D and a ciphertext E as its input. 

It first checks whether a is a valid signature on message (£ 1 , {£'}j £ £, E) using vk. 


5 Here, s is consistent with the random value in E\ 
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If valid, it proceeds as follows; otherwise, output _L. 

It extracts l)\ and E i from tuple ( I), E ) and consequently decrypts e(g, g) sr ac¬ 
cording to BCPi.Dec. 

For each i € £, it computes 


e(g,g) 


e(D h0 ,T' s ) = e(g*i ,g tiS ), ifvfc* = 0; 
e(A,i,r/* i ) = ,g t ‘+* s ), if tA = 1. 


E' 


Finally, it computes m = - - ——^--.—,,, . 

e{E,D)-e(g,g) sr Uiec e (9,g ) s "* 

Compared with BCPi, BCP2’s ciphertext is augmented with l elements, while pub¬ 
lic parameter and secret key are both augmented with 21 elements. Another method 
for extending BCPi with CCA security level has been mentioned [129]. It treats each 
verification key as an attribute. However, it has shorter additional size of ciphertext (1 
element) but larger additional size of public parameter and secret key ( 2 l elements). 


3.3.6 Security Proof of BCP 2 

The selective-tree CCA model is introduced in Section 3.3.2. We prove the secu¬ 
rity of BCP 2 based on the strong existentially unforgeable assumption of ots and the 
DBDH assumption. 

Theorem 3.3.4. Suppose ots is a e ots -secure one-time signature scheme. If the DBDH 
assumption holds in (G, Gt), then scheme BCP 2 is a selective-tree CCA secure in the 
standard model. 

Proof. Suppose there is a polynomial-time adversary A who can attack BCP 2 in the 
selective-tree CCA model with non-negligible advantage s. We construct a simulator S 
who can distinguish the DBDH tuple from a random tuple with non-negligible advan¬ 
tage | - £ ots . 

We first let the challenger set the groups G and Gt with an efficient bilinear map e 
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and a generator g. The challenger flips a fair binary coin v, outside of S ’s view. If v = 1, 
the challenger sets (g, A, B, C, Z) £ D^; otherwise sets (g, A , B , C, Z) £ D ran d- 

Init The simulator S runs A. A chooses a (d, c)-bounded access tree T* it wishes 
to be challenged upon. S runs ots.KGen to obtain ( sk*,vk *). S sets Y = e(g, g) ab = 
e(A, B). S defines a (d, c)-universal access tree T and a map from T* to T. Then, it 
generates PPi as Init step in Section 4.2. 

For i £ C, randomly choose rg , 9i £ Z p and implicitly set 

if vk* = 0 , 

A = ViX = g* and t' l+i = b0 l+i , T[ +i = £*'+*; 

if vk* = 1 , 

t’i = HX = and t’ l+i = e l+i Xi +i = g 8l+i - 

The algorithm outputs public parameter 

PP= {PPi, {??}«={!,... , 2I} ) 

Phase 1 A is allowed to make secret key queries and decryption queries: 

• Secret Key Query. A submits an attribute set 7 such that T* ( 7 ) = 0. S randomly 
chooses r", r\ £ Z p for i £ £ and implicitly sets: r' = ab + br ", r,; = br\. 

According to the Phase 1 in Section 4, it calls PolyUnsat(7L, 7 , A • g r ") and 
obtains D\. Then, it computes 

f) — qV-r _ c .ab-ab-br"-J2 ie c br i = _ - _ 
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and for i £ £. if vk* = 0, 


if vk? = 1 


Di,o = Bn and Di i = 


A,o = 9 Vi and A,l = B^+i 


Finally, it outputs the secret key 


D — (A, {A,0i D itl } ieC ,D). 


• Decryption Query. A submits a ciphertext 1? = (Ei, {Alter:> E, a, vk) related 
with T. 5 checks the signature cr using vk. If cr is invalid, S outputs _L; otherwise 
S checks if vk = vk*. If so, we call it a forge event and S outputs v' - 0 to 
indicate that it was given a tuple from D ran d- Now, the only case is vk ^ vk*. 
In such a case, S defines an attribute set 7 such that T( 7 ) = 1. If T*{ 7 ) = 0, 
generate a secret key related with 7 from secret key query and use it to decrypt 
E\ otherwise T*( 7 ) = 1. Without loss of generality, assume vkj = 1 ,vk* = 0. 
S generates a partial secret key for decrypting E as follows: 

- S randomly chooses r",r\ £ Z p for i £ £ and implicitly sets: r' = 
for", r, = 6 r' for i ^ j and rj = ab + br'j. 

- According to the Phase 1 in Section 4.2, it calls PolySat(T, 7 , r") and ob¬ 
tains 1)\ related with 7 . Now, it can use T)\ to decrypt E\ and obtains 

e{g,g) sr '- 

- For i £ £ and i ^ j, if vk* = 0, 

A,o = B^i and A, 1 = g 1 ^; 
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if vk* = 1, 


D, o = g v i and Z\i = B 6 ^. 


ab+br' 


- For i = j, it can only generate Dj \ = = g b<>l +i = A° l +i ■ g° l +i. 

This is sufficient for our decryption since vkj = 1 and ■ is involved in 
ciphertext E. Note that e{Dj t \,T^) = e(g, g) srj . 

- S then computes D = g v ~ r = g ab ~ br ~ ab -Tli<=c br i = —L— . 


- Finally, S outputs m 


' 


e(E,£>) e(s,s) ST -'-n ie c e{g,g) sr i ' 

Challenge The adversary A will submit two challenge messages mo and mi to S. 
Then, S chooses // £ {0,1} at random, and returns an encryption of m„ under the 
challenge access tree T* as follows: 

• It first generates an encryption according to Challenge in Section 4.2. 


• It generates a signature 


a* = ots.Sig(sk*,{E* 1 ,{C^} ieC ,vkt=o,{C ei+i }iec,vkt=i,C)). 


It outputs the challenge ciphertext 


E* = (El{C^} i&c ,vk^o,{C 0l+ '}i & c,v^=i,C,a\vk*). 


Let s = c. If ( g , A, B, C, Z ) £ D^h, we have 


Y 8 = e{g 1 g) abc , E\ = CT>* = (g s ) v ' = T'\ E\ = C*'+‘ = ( g s ) 6l+i = V 


-i/S 


Therefore, the ciphertext is a valid random encryption of message m 71 . 

Otherwise, if ( g , A, B, C , Z) £ V ran d , we have E 1 = m ^ ■ Z. Since Z is randomly 
chosen from Gt , E' will be a random element of Gt from the adversary’s view. Thus 
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the ciphertext contains no information about rn fl . 

Phase 2 The simulator S acts exactly as it did in Phase 1. 

Guess S outputs v' = 1 to indicate that it was given a tuple from D^dh if A gives a 
correct guess ft! = //; otherwise v' = 0 to indicate that it was given a tuple from V ran d. 

Let us compute the success probability of S : 

In the case of v = 0, the adversary doesn’t gain any information about \x. Therefore, 
we have Pr[/i ^ = 0] = l 2 . Since the simulator guesses v' = 0 when /t ^ // (no 

forge), we have 

Pr[j/ = v\v = 0] = Pr[j/ = Q\v = 0] = Pr[/z ^ /./', ^forge|z/ = 0] + Pr[forge|^ = 0] 

= Pr[^i ^ //|i/ = 0] — Pr[/z 7 ^ /u',forge|^ = 0] + Pr[forge|^ = 0] 

> 2 - Pr[forgeji/ = 0] = * - e ots . 

In the case of v = 1, the adversary gets a valid ciphertext of m jL . By definition, the 
adversary has probability e to guess the correct //, and thus Pr[/it = /jl'\v = 1 ] = \ + e. 
Since the simulator guesses v' = 1 when (ft = //, no forge), we have 

Pr[j/ = v\v = 1] = Px[v' = 1 |v = 1] = Pr[/i = n', ^forge|z^ = 1] 

= Pr[/r = p!\v = 1] — Pr[/r = /Lt',forge|^ = 1] 

> i + £ - Pr[forge|^ = 1] = ^ + e - £ ots . 

The overall advantage of the simulator to output a correct v' = v is 

Pr[i^ = v'\ — ^ = Pr[v = v', v = 0] + Pr[v = u', v = 1] — ^ 

^ 1 .1 , 1 .1 , 1 £ 

> 2 ' (2 - £ots ) + 9 ’ (2 + £ — £ °ts) ~ 9 — 2 - £ots ' 
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Figure 3.8: An example access tree accepted by BCPi but not accepted by GJPS 


□ 


3.3.7 Comparisons 

Access Policy: In this section, we compare the expressive capability of access tree 
of BCPi with that of GJPS scheme bounded by the same parameter (d. c). Actually, 
according to the definition of BCPi on the (d, c)-bounded access tree, each non-leaf 
node has a threshold value at the most c and no more than c non-leaf nodes share a 
single unique parent. Thus, one difference of the restriction on access trees between 
GJPS and BCPi is if a non-leaf node x has a non-leaf child node, in GJPS the total 
number of x’s child node must be no more than c, while in BCPi the total number of 
x’s non-leaf child node must be no more than c. Therefore, our scheme accommodates 
more possible access policies chosen by the sender under the same pre-set bounds. (An 
example is shown in Figure 3.8) 

Efficiency and Parameter Size: Now, we discuss the comparisons on the compu¬ 
tational cost of each algorithm and the sizes of parameters between GJPS and BCPi 
in Table 3.1, both of which are proved secure in the selective-tree CPA model. We 
assume that both schemes are initialized with same system parameters (d. c) and con¬ 
sider an encryption under a (d, c)-bounded access tree T(this access tree must be 
chosen suitable for both schemes since there’s a difference between the acceptable 
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access trees of two schemes). 7~ n is T’s normal form. The secret key is associ¬ 
ated with an attribute set 7 such that 7~(j) = 1 and j'y | = x. T and T n are the 
7 -satisfied non-redundant trees of T and T n with minimum non-leaf nodes, respec¬ 
tively. \U\ = n, \U*\ = c — 1, |£t„I = ° c Ii ■ Here, TExp represents the cost of one 
modular exponentiation, TPair represents the cost of one bilinear pairing computing. 
Tsi,Tki,Tei, and I'm represent the computational cost of Setup, KGen, Enc and 
Dec algorithms in GJPS. Lpi, L$ 1 , and Lc 1 represent the size of public parameter, se¬ 
cret key and ciphertext in GJPS. The mark with “2” indicates the counterpart of BCPi. 


Mark 

times 

Computational cost 


T S1 

1 

TPair + (nc^ 1 + c d ) • TExp 


t S2 

1 

TPair + (r» X c Si + c<! ) ■ TEx P 


t K1 

1/user 

(xc d_1 -f c d - 1) ■ TExp 

v' 

T K2 

1/user 

(* x ‘4^r +c d -!)■ TExp 


t e 1 

many 

(1 + |€> 7 ' ri 1 + ( c — k x)) ■ TExp 


T E2 

many 

(1 + |© r 1 + - fc *)) ■ TEx P 

v' 

t d 1 

many 

1 x c - | + 1) ■ TPair + | x c • TExp 


T D2 

many 

(|£^_| x c - \E?\ + 1) • TPair + \T,^\ x c • TExp 



number 

Size 


L P1 

1 

G t | + (nc d 1 + c d - 1) ■ IG 


L P2 

1 

G t | + (n X + c d - 1) • 1G 


L S 1 

1/user 

(a:c d ^ 1 + c d - 1) • |G| 

v' 

L S 2 

1/user 

(ar X + ° d - 1) ' l G l 


L C 1 

many 

\G T \ + (| &r n | + ( c - fc *)) • l G l 


l C2 

many 

\g t \ + (|© r | + - *=*)) • |G| 

v' 


Table 3.1: Comparisons between the scheme in GJPS and BCPi 


Generally, c is set to be no less than 2, then 


x x 


c d - 1 
c — 1 


+ c d -l<2x{xc d ~ 1 +c d -l) 


This is because of the following deduction: 


2 < c=> 2c d_1 - 1 < c' 


c d - 1 
c — 1 


< 2c‘ 


d—1 


Therefore, we obtain that 


Ts2 < 2 Tsi,Tk2 < 2Tki,Lp 2 < 2Lp\,Ls2 < 2Tsi. 
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3.4 Multi-Authority Encryption Schemes 

When Sahai and Waters [241] introduced the notion of ABE, they also presented 
the following open problem: Is it possible to construct an ABE scheme in which many 
different authorities operate simultaneously, each handing out secret keys for a differ¬ 
ent set of attributes? This is an interesting and practical problem. In the aforemen¬ 
tioned ABE systems, all attributes are managed by a single authority. In some applica¬ 
tions however, this may not be desirable. For example, Alice encrypts a message with 
access policy (“UNIV.X.COMPUTER SCIENCE” AND “UNIV.X.ALUMNI” AND 
“COMP.Y.ENGINEER”) so that only receivers who are the computer science alumni 
of University X and currently working as an engineer for Company Y, can decrypt. 
The authority UNIV.X Registry may only manage attributes for the students, staff, and 
alumni of University X, while COMP.Y Registry may be the authority handling its em¬ 
ployees’ attributes. A single-authority ABE may not be appropriate in this scenario. 
Another problem of single-authority ABE is the so-called Key Escrow problem. In a 
single-authority ABE system, as the single authority is responsible for issuing private 
keys for all attributes, it can decrypt any ciphertexts in the system, so that the authority 
must be fully trusted. Some multi-authority ABE systems [78,79,184,198,201,217] 
have been proposed to achieve better expressiveness, efficiency, and security in the set¬ 
ting of multi-authority. The problems of privacy and key-escrow are also considered 
simultaneously in those papers. The Table 3.2 shows the properties of these systems in 
terms of security, expressiveness, and additional properties such as protecting privacy 
and preventing decryption by individual authority. 

Chase [78] proposed the first multi-authority ABE system where there are one CA 
(Central Authority) and multiple AAs (Attribute Authorities). The CA issues identity- 
related keys to users and the AAs manage attributes and issue attribute-related keys. A 
user’s keys from different AAs are linked together by the user’s global identifier. The 
expressiveness of the system is limited and only “AND” policy between the AAs is sup- 
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Table 3.2: Existing Multi-Authority ABE Systems 



Adaptively 

Secure 

Standard 

Model 

Prevent Decryption 
by Individual 
Authorities 

KP/CP 

Expressiveness 

[78] 

X 

V 

? 

KP 

Limited 1 

[198] 

X 

a/ 

V 

KP 

Limited 1 

[79] 4 

X 

V 

V 

KP 

Limited 1 

[217] 

X 

V 

X 3 

CP 

Expressive 2 

[184] 

V 

X 

Partially 3 

CP 

Expressive 2 

[201] 

V 

V 

V 

CP 

Expressive 2 


1 [78,79.198] are KPABE systems. In these systems, the policy of each key is defined 
by some sub-policies, where each sub-policy corresponds to an authority, and only 
when all sub-policies of a policy are satisfied, the policy is satisfied, i.e., the policy 
supports only AND relation between authorities. 

2 [184, 201,217] are CPABE systems, and the encryptor can encrypt messages with 
any monotone access structures defined over the whole attribute universe. 

3 In [78.217], there is an authority, called Central Authority, can decrypt all ciphertexts. 
Although no individual authority in [184] can decrypt all ciphertexts in the system, 
each authority can individually decrypt the ciphertexts whose policies are satisfied by 
the attributes managed by the authority. 

4 The system in [79] can protect user privacy from the authorities. 


ported. Also, the CA can decrypt all ciphertexts. We [198] removed the CA using a 
threshold technique where the set of authorities is fixed in advance and all authorities 
must interact during the system setup. The system cannot defend against collusion at¬ 
tack by m or more users where m is a system parameter chosen at setup. Chase and 
Chow [79] also removed the central authority using a distributed PRF (pseudo random 
function) technique. However, the expressiveness is as limited as the original Chase’s 
system, and their technique does not seem applicable to CP-ABE. While [78,79,198] 
focused on KP-ABE, Muller, Katzenbeisser, and Eckert [217] proposed the first multi¬ 
authority CP-ABE system where there are one CA and multiple AAs. The AAs operate 
independently from each other and therefore the scheme is flexible and practical. How¬ 
ever, the CA in the system can still decrypt all ciphertexts. 

Lewko and Waters [184] proposed the first adaptively secure multi-authority 
CPABE system. The system is expressive, supporting any monotone access structures. 
There is no central authority and each authority in the system operates independently. 
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However, the system is proven secure in the random oracle model, and each authority 
can still independently decrypt ciphertexts, if the attributes, managed by the authority, 
satisfy the associated access policies. 

We [201] proposed a new multi-authority CP-ABE system which aims to theses 
problems simultaneously. The system has multiple central authorities (CAs) and at¬ 
tribute authorities (AAs). The CAs issue identity-related keys to users but do not involve 
in any attribute-related operations. AAs issue attribute-related keys to users. Each AA 
manages a different attribute domain and operates independently from other AAs. A 
party may join the system to be an AA by simply registering itself to the CAs, and then 
publishing its attribute-related public parameters. In the proposed system, no author¬ 
ity can independently decrypt any ciphertext. The system is adaptively secure in the 
standard model which captures adaptive authority corruption. Its access policy can be 
any monotone access structure and the system supports large attribute universe. The 
efficiency of the system is also comparable to the corresponding single-authority CP- 
ABE system [181], which is regarded as the “state-of-the-art” single-authority CP-ABE 
system. 

Figure 3.9 shows the architecture of the multi-authority CPABE system. The system 
has D Central Authorities, CA \,..., C A /), and K Attribute Authorities, 

AAi, ..., AAk. 

Each AA manages a different domain of attributes (e.g., A A] manages U \, and so on). 
When a user joins the system, each CA issues an identity-related key to the user. Then 
the user obtains an attribute-related key corresponding to the attributes that the user 
entitled from an AA (e.g., UNIV.X Registry). In practice, one may imagine that there 
could be multiple CAs run by different organizations while all of them are governed 
under some ordinance made by the government, then universities and companies can 
join the system as AAs. Each AA manages its own attribute domain and the AAs 
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Figure 3.9: Architecture of Multi-Authority CP-ABE 

operate independently from each other. The trust on the CAs by the users in the system 
can also be alleviated as it is unlikely to have all the CAs collude if some appropriate 
governmental policies and business measures are put into place to govern the practice 
of the CAs. 

3.4.1 Security Models 

Similar to [181,184], the system is constructed over composite order groups. Let Q 
be the group generator, which takes a security parameter A and outputs 

(Pi,P2,P3,G,G T ,e) 

where pi,p 2 * and p:>, are distinct primes, G and G't are cyclic groups of order N = 
P 1 P 2 P 3 * and e : G x G -A Gt is a map such that: (1) (Bilinear) Vg,h G G,a,b G 
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Zjv, e(g a , h b ) = e(g,h) ab , (2) (NonDegenerate) 3 g £ G such that e(g,g) has order 
N in Gt • Assume that group operations in G and Gt as well as the bilinear map e 
are computable in polynomial time with respect to A. Let G Pl , G P2 , and G p , be the 
subgroups of order p\, p 2 , and p 3 in G, respectively. Note that for any hi £ G Pi and 
hj £ G Pj where i ^ j, e{hi, hj ) = 1. 

The security of the system is based on the following three assumptions, which are 
also used by [183](for IBE) and [181] (for CP-ABE) for obtaining full security. 

For an element T £ G, T can (uniquely) be written as the product of elements of 
G Pl , G p ,, , and G P3 , and they are referred to as the “G Pl part of T,” “G P2 part of T” 
and “G P3 part of T,” respectively. In the assumptions below, let G PlP2 and G PlP3 be 
the subgroups of order p\P 2 and p\ p 3 in G, respectively. Similarly, an element in G PlP2 
can be written as the product of elements of G Pl and G P2 , and an element in G PlP3 can 
be written as the product of elements of G pi and G P3 . 

Assumption 1 (Subgroup decision problem for 3 primes). [183] Given a group 
generator Q , define the following distribution: G = ( N = pip 2 P 3 ,G,GT,e) <— Q, 
jAG^IjA G P3 , D = (G, g, X 3 ), T-[ A G PiP2 , T 2 A G P1 . The advantage 
of an algorithm A in breaking Assumption 1 is: 

Advlg, A {\) := |Pr[Al(Z),r 1 ) = 1] - Pr [A{D,T 2 ) = 1]|. 

Definition 3.4.1. Q satisfies Assumption 1 if Advlg A {\) is a negligible function of A 
for any polynomial time algorithm A. 

Assumption 2. [183] Given Q, define the following distribution: G = (N = p\ , 

G,G r ,e) A G , g,X 1 A G Pl , X 2 ,Y 2 A G P2 , A 3 ,F 3 A G P3 , D = 
(G, g, X 1 X 2 , X:-j.Y 2 Y 3 ), T-\ G, T 2 G PlP3 . The advantage of an algorithm 
A against Assumption 2 is: 


Adv2g A {\) := |Pr [A{D,T X ) = 1]-Pt[A(D,T 2 ) = 1]|. 
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Definition 3.4.2. Q satisfies Assumption 2 if Adv2g A (X) is a negligible function of A 
for any polynomial time algorithm A. 

Assumption 3. [183] Given Q , define the following distribution: G = (N = pip 2 p 3 , 
G,G T ,e) G P1 , X 2 ,Y 2 ,Z 2 A C P2 , X 3 A C P3 , 

D = (G,g,g a X 2 ,X 3 ,g s Y 2 ,Z 2 ), T-, = e(g,g) as , T 2 G T - The advantage of an 
algorithm A against Assumption 3 is 

Adv3g, A (\) := |PrH(ATi) = 1] - Pr[A(.D, T 2 ) = 1]|. 

Definition 3.4.3. Q satisfies Assumption 3 if Adv3g iA (X) is a negligible function of A 
for any polynomial time algorithm A. 

Notations. There are three sets of entities in a multi-authority ciphertext-policy 
attribute-based encryption (MA-CP-ABE) system: (1) central authorities (CAs), (2) 
attribute authorities (AAs) and, (3) users. Let CA \,..., CAd be central authori¬ 
ties and D = {1,... ,D} the index set of the CAs, that is, using d £ D to denote 
the index of central authority CAd . Let AA 1 ,..., AAk be attribute authorities and 
K = {1,..., A'} the index set of the ,4,4s. Each user has a global identifier denoted 
as gid. The CAs are responsible for issuing keys to users according to their global 
identifiers. The A As are responsible for issuing keys corresponding to attributes, and 
each AA manages a different attribute domain (e.g., ,4,4, manages attributes for a uni¬ 
versity registry and AAj manages attributes for a company registry, etc.). Let U/, : be 
the attribute domain managed by AAk where Ui D Uj =0 for all i / j £ I, and 
U = UfcLi E/fc be the attribute universe. 

Definition. A MA-CPABE system consists of the following seven algorithms: 

GlobalSetup(A) —> (GPK): The algorithm takes as input the security parameter A 
and outputs the global public parameter GPK of the system. 
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CASetupfGPK, d) —> (CPK d , CAPK d , CMSK d ): Each CAd runs the algorithm with 
GPK and its index d as input, and produces master secret key CMSK,/ and public 
parameters (CPK d , CAPK d ). CAPK d will be used by AAs only. 

AASetup(GPK, k, Uk) —► (APKfc, ACPK/,., AMSKfc): Each A A}, runs the algorithm 
with GPK, its index k and its attribute domain Uk as input, and produces master 
secret key AMSKfc and public parameters (APK/,. ACPK/). ACPK/ will be used 
by CAs only. 

Encrypt (M, A, GPK. {CPK d |d £ D}, {APK/,.}) —> CT: The algorithm takes as input 
a message M, an access policy A defined over the attribute universe U, the global 
public parameter GPK, CAs ’ public parameters ( CPK d |d £ O}, and the related 
AAs’ public parameters {APKfc }. It outputs a ciphertext CT which contains the 
access policy A. 

CKeyGen(gid, GPK, {ACPK fc |/c e K},CMSK d ) (ucsk gtdjd , ucpk gid d ): When 
a user with global identifier gid visits CAd for obtaining a key, 6',4,/ runs the 
algorithm, which takes as input gid , GPK, {ACPKfc|fc £ IK}, and CA d s master 
secret key CMSK,/. It outputs a user-central-key ( UCSk, ucpk gidd ), where 
UCpk, (JY/ d is called user-central-public-key. 

AKeyGen(aff,{ucpk gitM |d e D}, GPK, {CAPK d |d e D}, AMSK fc ) ->• uask att , gid 
or J_: When a user requests a secret key for attribute att from AAk, .4,4 /, runs the 
algorithm, which takes as input att, {ucpk g}d d \d £ D}, GPK, {CAPK d |<i £ D} 
and AMSK/;. If all ucpk gid d s are valid, the algorithm outputs a user-attribute- 
key uask a tt,gid, otherwise it outputs _L. For a user gid with attribute set Sg ld , the 
user’s decryption-key is defined as 


DK gid = ({ucsk gid)d , ucpk gidd |d £ D}, {uask att>gid |att e S gid }). 
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Decrypt(CT, GPK, {APKfc}, DK^jd) —> M or _L: The algorithm takes as input a 
ciphertext CT associated with access policy A, GPK, the related attribute au¬ 
thorities’ public parameters (APK/,}, and a decryption-key DK, ; , d with attribute 
set Sgid . If Sgid satisfies the access policy A, the algorithm outputs the message 
M, otherwise it outputs A. 

Security Model : The security of MA-CP-ABE is defined by the following game 
run between a challenger B and an adversary A. A can corrupt CAs and AAs by 
specifying E c Cl and B c C B after seeing the public parameters 6 , where D \ O c ^ 0 
and K \ K c ^ 0. Without loss of generality, we assume that A corrupts all CAs but 
one, i.e., |B \ D c | = 1. 

Setup. 

• GlobalSetup. CASetup(GPK, d) (d = 1,..., D) and AASetup(GPK, k, 
Uk ) (k = 1,..., K) are run by the challenger B. GPK, {CPK^, CAPK^IcZ £ 
O} and {APKfc, ACPK/^fc £ IK} are given to the adversary A. 

• A specifies an index d* £ D as the only uncorrupted CA and specifies a set 
K c C IK of AAs to be corrupted where K \ K c ^ 0. Let O c = D \ {cT}. 
{CMSK^Id £ B c } and {AMSK^Ifc £ IK C } are given to A. 

Key Query Phase 1. User-central-key and user-attribute-key can be obtained by query¬ 
ing the following oracles: 

CKQ (gid,d) where d = d*: A queries with a pair ( gid,d ), where gid is a 
global identifier and d = d*, and obtains the corresponding user-central- 

key (ucsk 3 id , d ,,ucpk gidid ,)- 

AKQ(atf, {ucpk gj;d d |d £ B},fc) where k £ K \ K c : A queries with ( att, 
{ucpk gid d \d £ B}, k), where k £ K \ K c is the index of an uncorrupted 

Allis is stronger than the static corruption model used in [78,79,184], where the adversary has to specify 
the authorities to corrupt before seeing the public parameters. But on the other aspect, it is weaker than the 
model in [184], where the corrupted authorities are set by the adversary. 
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AA, {ucpk gld d \d £ D} are gid' s user-central-public-keys, and att is an 
attribute in Uk- The oracle returns a user-attribute-key uask a tt, g id or L if 
is invalid. 

Challenge Phase. A submits two equal-length messages A/ 0 and Mi, and an access 
policy A. B flips a random coin /? £ {0,1} and sends to A an encryption of Mp 
under A. 

Phase 2. A further queries as in Key Query Phase 1. 

Guess. A submits a guess f3' for (3 . 

For a gid, the related attribute set is defined as 

Sgid = { att | AK Q(att, {ucpk gidd |d £ O}, k) is made by A}. 

A wins the game if j3' = (3 under the restriction that there is no S gld such that S gld U 
(U Uk c ) can satisfy the challenge access policy A. The advantage of A is defined 
as |Pr[/3 = /3'] - 1/2|. 

Definition 3.4.4. An MA-CP-ABE system is secure if for all polynomial-time adver¬ 
sary A in the game above, the advantage of A is negligible. 

Remarks : It is assumed that a user with global identifier gid requests for the central 
key from each CA d only once, i.e., for each gid there is only one set of user-central- 
keys, {ucpk gjd d \d £ O}. This is not a restriction, but can help simplify the system 
description. Using obscure notations such as ucpk gid d t and S g id,d,t where t is a time 
stamp can remove this assumption. In the security model above, A has the master secret 
keys {CMSKdld g O c }, so the user only needs to query CKQ (gid,d*) for getting 
(ucsk gidjd ., ucpk gidd ,), and he/she can generate {(ucsk ff , ;did , UCpW gld d )\d £ D c } if 
they are needed for querying AKQ. 


110 


CHAPTER 3. ATTRIBUTE-BASED CRYPTOGRAPHY 


3.4.2 Construction 

GlobalSetup(A) —> (GPK): Let G be a bilinear group of order N = P 1 P 2 P 3 (3 dis¬ 
tinct primes), and G Pi be the subgroup of order p t in G. The algorithm randomly 
chooses g,h £ G Pl . Let X 3 be a generator of G Ps . 

The global public parameter is published as GPK = (N, g , h. X :i , Y sign ), where 
£sign = (KeyGen, Sign, Verify) is the description of a UF-CMA secure signa¬ 
ture scheme. 

CASetup(GPK, d) —> (CPK^, CAPK^, CMSK^): CAj runs the KeyGen algorithm 
of T, sign to generate sign key pair (SignKey d , VerifyKey d ), and chooses a ran¬ 
dom exponent ad £ Zn- 

CA^ publishes its public parameter CPK^ = e(g,g) ad . CAPK^ = VerifyKey^. 
CA^ sets its master secret key CMSK^ = (cr^, SignKey d ). 

AASetup(GPK, k, U k ) —> (APK^, ACPK*,, AMSKj,): For each att £ £4, AA k ran¬ 
domly chooses s a tt G Zjv and sets T at t, = g Satt ■ For each d £ D, AA k randomly 
chooses v k ,d £ and sets 14 ,d = g Vk,d . 

AA k publishes its public parameter APKfc = {T att \att £ L4},ACPKfc = 
{Vk,d\d £ D}. 

AAk sets its master secret key AMSK/,, = ({s a tt\att £ Uk}, {vk,d\d £ D}). 

Encrypt(M, A = (A, p), GPK, {CPK^Id £ D}, {APK/,.}) —> CT: M is the message 
to be encrypted, A is the access policy which is expressed by an LSSS matrix 
(A, p), where A is an l x n matrix and p maps each row A x of A to an attribute 
p(x). Here it is required that p will not map two different rows to a same attribute. 
The algorithm chooses a random vector v = (s, V 2 , ■ ■ ■, v n ) £ h 1 ^, and for each 
x £ {1,2,.. .1}, it randomly picks r x £ Zjv. Let A x ■ tTbe the inner product of 
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the X th row of A and the vector v. The ciphertext is 

D 

C = M-l[e(g,g) a *", C'=g s , 

d=l 

{C x = h A *-*T-%,C' X = g rx \ x € {1,2,.../}} 
along with the access policy A = (A, p). 

CKeyGen(gid,GPK,{V k<d \k e K},CMSK d ) ->• (ucsk gid)d ,ucpk gidd ): When a 
user submits his gid to CAd to request the user-central-key, CA ,/ randomly 
chooses rgid.d G and R gid ,d, R' gid , d G G P3 . then sets 

ucsk gidjd = g ad h r ” id ' d R gidA , L g . id , d = g r9id ’ d R' gid ,d- 

For k = 1 to K , CAd randomly picks R g id,d,k G C p , and computes 

p _ T r r gid,d TD 

1 gid,d,k v kd 1 ' y gid,d,k• 

CA d computes a gidid = Sign(SignKey d pri||d||L gidjd ||r gid , d ,i||.. ■ \\Tgid.d.x)■ 
Let ucpk gidd — (gid, d , A g 2 d)d , {L g i d ,d,k \ k G K}, <j g i d .d )• 

AKeyGen(aff, {ucpk gidd |d e D},GPK. {VerifyKey d |d G D},AMSK fc ) -> 
uask att>gid or _L: When a user submits his {ucpk gidd |d G O} to AA k to re¬ 
quest the user-attribute-key for attribute att G Uk, 

1 . For d = 1 to D, AA k parses ucpk gid d into (gid, d, L gid ,d, {^gid,d,k\k G 
K}, <J g id,d) and checks whether 

valid <- Verify(VerifyKey d , gid\ |d||L gid , d ||r g , ;djd) i 11... \\T gid4iK ,a gid4 ) 

(3.1) 

&(gi L gid.d.k ) Lgid.d) 7^ 1* (3-2) 
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If fails, AAk outputs _L to the user to imply that the submitted 
{ucpk gicM |d G D} are invalid. 

2. For d = 1 to D, A A randomly picks R' att gid d £ G P3 , and sets 

uask att,gid,d = (X gid,d,k) at * ^ kd R a tt,gid,d" (3-3) 


Note that 


uask att,gid,d — {Tgid,d,k) Ratt,gid,d 


_ (~\r r gid,d TD \Satt/vk,cL TD' 

~ \ V k,d ^gtd,d,k) ^att^gid^d 

-- {9 Vk ' d ' ra ' d ' d Rgrd4Ay att,Vk d Ktt, gl d, a 

_ rp r gid,d/jD \S a tt /Vk,d TD' 

- 1 att \ ri gi'd,d,k J ^att^gid^d 


As {R g id,d,k) Satt/vk ’ d R'att,gid,d is in G P3 and Ktt,gid,d is randomly chosen, 
we can write 


uask 


att,gid,d 


r n r gid,d TD 

± att JX att,gid,d • 


(3.4) 


Without knowing the value of r g id,d, by running (3.3), AAk can compute 
the value as (3.4). 

3. AAk outputs user-attribute-key uask a tt,gid to user where 

D D 

Uask att ,gi d — 11 Uask att,gid,d = 11 T- a tt ^att,gid,d 

d=l d—1 


X^ D 

rpl^,d=l 

att 


Tgid,d 


D 




att,gid,d 


d= 1 


rnl^,d=l 

att 


Tgid,d jD 

* x att,gid 


(3.5) 


Decrypt(CT, GPK, {APKj.}, DK 3J£ ;) —> AT. The ciphertext CT is parsed into (C, G', 
{C x , C' x \x G {1,2,..., /}}, A = (A , p)), and the decryption-key DK^ is parsed 
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into ({ucskg id)d , ucpk ffid)d | d G D}, {uask att, 


The algorithm computes 

D 


D 


ucsk girf = 

P[ ucskg,; djd = g^= 1 “ d /l Ed = 1 rgid ’ d R. 


d—1 d—1 

g a h rgid R gid , 

D 

with a = J2 d= 

-_l C^di ^ gid ^2id— 1 ^gid^d Rgid 11 Rgid,d- 


d—1 

D 

D 

L gid = I] L 9 *d,d = g^d=ir gid , d R ^ d = 


d= 1 


d—1 


D 


with R 'gid = II Kld.d- 


i—1 


Note that Watt G S gid , uask att , gid = T^ d=1 r9id ’ d R att , gid = T r a % d R att>gid . 

If S g i d satisfies the access policy (A, p), the algorithm computes constants u> x G 
Zjv such that X^ p ( x )eS d w xA x = (1)0,..., 0). Then it computes 

e(C", ucsk gid )/ Yl ( e ( c x ,L gid ) ■e{C' x ,uask p{x)tgid )) u ’ x = e(g,g) as . 
p(x)es gid 


As C = M- nti e(g, g) adS = M ■ e(g, g) s ^ ad = M ■ e(g, g) sa , M 
be recovered from C/e(g, g) as . 


can 


In the above system, an attribute is required to appear at most once in an LSSS 
matrix (A, p). This restriction is crucial to the security proof. Such a system is called 
a one-use system, and it can be extended to a multi-use system by using the encoding 
technique [181]. 


3.4.3 Security Analysis 

Let II denote the main construction, we modify II to IT as follows: 

• In the AKeyGen algorithm, it outputs uask attj9 , d = {uasW at t,gi d , d \d G O} 
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rather than uask ait;Sid = J]d=i uask a tt, g id,d- he., gid 's decryption-key is 


DK gid =({ucsk gid , d , ucpk gid d \d G D}, {uask att ,g, ;d | att e S gid }) 

=({ucsk gid)d , ucpk g ,, ;dd | d G D}, {{uask att ,g ld , d |d g D }|att G S gid }) 
=({ucsk gid)d , ucpW gidd \d g D}, {{uask att , gid , d |att g S gid }\d g D}) 
={(ucskg id , d , ucpk g ,, ;d d , {uask att; g id , d |att g S gid })\d g D} 
={uskg id , d |rf g D} 

where USkg.j d d — (ucskgi dd , ucpk^^ dl ^uask a ^ g.j did |(z^ G S g i d }) is called 
gid 's user-key related to d. 

• In the Decrypt algorithm, 

1. For d = 1 to D, the algorithm uses USkg. id d to reconstruct e(g , g) adS : 


e(C , ucsk gid,d)/ 11 (e(C*x? Tgid,,d)'&(C x , uaskp^j g^ ^)) —e(y,p) 

p(x)es gid 

( 3 . 6 ) 

2. The algorithm recovers M by 

D 

A4 = C/H e (g,gr dS . ( 3 . 7 ) 


Note that the user and the attacker will get more information in II', the security of II' 
will imply the security of II. We show the security of II' in the following: In the security 
model, CA d - is the only uncorrupted central authority and no S g i d U (|J fc gK Uk c ) can 
satisfy the challenge access policy. It means that the adversary could not request keys 
to form a USk, ; , d d » to reconstruct e(g. g) ad * s . In our proof, the challenger will respond 
the adversary as in real attack for all key queries related to d ^ d*. On the key queries 
related to d *, we use the proof technique [181] to provide the answers. Before we give 
our proof, we need to define two additional structures: semi-functional ciphertexts and 
keys. We choose random values z a tt G Zjv associated to the attributes. 
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Semi-functional Ciphertext: A semi-functional ciphertext is formed as follows. Let 
g 2 denote a generator of G P2 and c a random exponent modulo N. Besides the random 
vector v = (s,v 2 , ■ ■ ■, v n ) and the random values {r x \x £ {1,2,..., Z}}, we also 
choose a random vector u = {u -\, u 2 , and random values { 7 ^. £ Zpf\x £ 


{1,2,..., Z}}. Then: 


c' =g s g c 2 ,{C x = h A **T^g* 


A x «+7x2p( a! ) 


C' x =9 r 




x £ {1,2,..., Z}}. 


Semi-functional Key: For a gid, a semi-functional user-key USk g id,d* has two pos¬ 
sible forms. Exponents r g id,d*,d,b £ Zjg, {wk^ £ Z^\k £ K}, and elements 

Rgid.d *, Rgid.d* ^ ^P3i \Ratt.gid.d M £ G p 2 \citt £ Sgid} , {Rgid,d* ,k £ (* p3 \k £ IEC{ 

are chosen randomly. 


• Type 1: 

The user-central-key (ucskg^ d*, ucpk sid d ») is formed as 

UCSkg id;d . = g d h 9ld,d Rgid,d* 9 2 ? Lgid.d* = 9 9ld,d R g id,d*92i 

r gid ,d*,k = v££- dm Rgid,d*,kg b 2 Wk ’ d * {k = 1,2,... K), 

& gid,d* — Sign(SignKey (i ,, gid\ \ d 11 Lgid,d* \ gid,d* , 1 11 • • • I |r gid,d* ,k\ 

UCpk g id,d* — (c/id, d , Lgid,d* ? gid ,d* ,k \ k ^ i & gid,d* ) • 

Watt G Sgid, the derived uask a tt,gid,d* is formed as 
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The user-central-key (ucsk g id t d*, ucpk gid d ,) is formed as 

UCSk 9 j dd » = g d h gld ’ d Rgid,d* 9 25 Lgid,d* ~9 9Ld ' d Rgid,d* > 
r gid,d-,k = Vk%*' d Rgid,d*,k(k = 1, 2, . . . K), 

&gid,d* = Sign(SignKey rf », gid\ \ d 11 L g id,d* | ,i 11 • ■ • | \ ^gid,d* ,k ) > 
ucpk gid d . — (yid, d , Lgid^d* i gid,d* ,fc | k G > &gid,d* ) • 

Watt G Sgid , the derived uask at t, g id,d* is formed as 


Uask a tt,gid,d* 


rr\^gid,d* t ~> 

1 att- Jaatt,gid,d* ■ 


Note that both the semi-functional user-keys of types 1 and 2 satisfy (3.1) and (3.2), 
and that type 2 is a special case of type 1 with 6 = 0. 

When a normal USkj,,^. and a semi-functional ciphertext, or a semi-functional 
USkgid d* and a normal ciphertext, are used in computation (3.6), e(g,g) ad * s is avail¬ 
able, and this value could be used in the computation (3.7). When a semi-functional 
usk,,,,/ ,/- and a semi-functional ciphertext are used in computation (3.6), the result is 
e(g, g) ad * s ■ e(g 2 ,g 2 ) cS ~ bui - The additional term e(<? 2 , g 2 ) cS ~ bui will hinder the com¬ 
putation (3.7). We call a semi-functional user-key of type 1 nominally semi-functional 
if cS — bui = 0. 

The security of II' relies on Assumptions 1, 2, and 3. We use a hybrid argument over 
a sequence of games. The first game GameR ea i is the real security game. In the final 
game Gamepinab all user-keys related to d*, {usk, ( „/,p.}, are semi-functional of type 2 
and the ciphertext is a semi-functional encryption of a random message, independent of 
the two messages provided by A. 

GameReai : The challenge ciphertext is normal. All CKQs are answered with normal 
user-central-key. All AKQs are answered with user-attribute-key generated by 
running the normal AKeyGen algorithm. 
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Gameo : The challenge ciphertext is semi-functional. All CKQs are answered with 
normal user-central-key. All AKQs are answered with user-attribute-key gener¬ 
ated by running the normal AKeyGen algorithm. 

Let q denote the number of CKQ made by A. For j from 1 to q. we consider the 
following games: 

Game ;1 : In this game, the challenge ciphertext is semi-functional. The first j — 1 
CKQs are answered with semi-functional user-central-key of type 2; the j th CKQ 
is answered with semi-functional user-central-key of type 1 ; and the remaining 
CKQs are answered with normal user-central-key. All AKQs are answered with 
user-attribute-key generated by running the normal AKeyGen algorithm. 

Game ; 2 : In this game, the challenge ciphertext is semi-functional. The first j — 1 
CKQs are answered with semi-functional user-central-key of type 2; the j th CKQ 
is answered with semi-functional user-central-key of type 2 ; and the remaining 
CKQs are answered with normal user-central-key. All AKQs are answered with 
user-attribute-key generated by running the normal AKeyGen algorithm. 

GameFinai: In this game, the challenge ciphertext is a semi-functional encryption of a 
random message, independent of the two messages provided by the adversary. All 
CKQs are answered with semi-functional user-central-key of type 2. All AKQs 
are answered with user-attribute-key generated by running the normal AKeyGen 
algorithm, and this step has been followed in all the games. 

In the proofs, we will show that the derived uasW att , g id,d* is decided by the corre¬ 
sponding user-central-key (ucsk 9idid .,ucpk flid)d ,), i.e., if (ucsk flid)d ., ucpk flid>d , ) is 
semi-functional of type 1 (respectively, type 2 ), then the derived uask a tt, g id,d* is also 
semi-functional of type 1 (respectively, type 2). Consequently, usk CJ id,d* is decided 
by the corresponding (ucsk g ; djd », ucpk gid d , ) as well. Note that in Gameo all user- 
central-keys related to d* are normal and in Ganie 7 2 all user-central-keys related to 
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Figure 3.10: Indistinguishable games. LI denotes Lemma 1, and so on. 

d* are semi-functional of type 2. It means that in Gameo all user-keys usk,,,,/,/• are 
normal and in Game,, ; all user-keys USk^.d* are semi-functional of type 2. We show 
these games are indistinguishable in the following four lemmas (see Figure 3.10). 

Lemma 3.4.5. Given a UF-CMA signature scheme E s ,, y „, suppose a poly-time algo¬ 
rithm A exists so that Game ^ ea iAdvj\- GameoAdv^ = e. We can construct a poly-time 
algorithm B with advantage e against Assumption 1. 

Lemma 3.4.6. Use Gameo, 2 to denote Gameo . Given a UF-CMA signature scheme 
E sign, suppose a poly-time algorithm A exists so that 

Game j-x^Advji, — Game t \ Advj, = e- 

We can construct a poly-time algorithm B with advantage negligibly close to e against 
Assumption 2. 

Lemma 3.4.7. Given a UF-CMA signature scheme E s)fy „, suppose a poly-time algo¬ 
rithm A exists so that Game h [ Ad'Vjx — GamejpAdv^ = e. We can construct a poly¬ 
time algorithm B with advantage e against Assumption 2. 

Lemma 3.4.8. Given a UF-CMA signature scheme E SJ , y „, suppose a poly-time algo¬ 
rithm A exists so that Game q ^Adv^ — GameFinaiAdv a = e. We can construct a 
poly-time algorithm B with advantage against Assumption 3. 

Theorem 3.4.9. If the signature scheme E s , , yn is UF-CMA secure and Assumptions 1, 
2, and 3 hold, then our MA-CP-ABE scheme is secure. 
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Proof. If Assumptions 1, 2 and 3 hold, and the signature scheme Y stgn is UF-CMA 
secure, previous lemmas have shown that the real security game is indistinguishable 
from Gamepmah in which the value of (3 is information-theoretically hidden from the 
adversary. Hence the adversary can not obtain a non-negligible advantage in breaking 
n', which implies the adversary can not obtain a non-negligible advantage in breaking 
our MACPABE scheme n. □ 

3.4.4 Security Proofs 

In the following proof, it should be noted that all AKQs are answered with user- 
attribute-key generated by running the normal AKeyGen algorithm. In the AKeyGen 
algorithm, the signature verification (3.1) used to verify gid's UCpW gid d ,, the check 
(3.2), and the computation (3.3) work together to ensure that the adversary could not 
make use of UCpW gid d , to construct ucpk gid d {d £ O c ). 

Proof of Lemma 3.4.5. 

Proof. B is given G = (N. G , Gt, e), < 7 , X 3 , T. It will simulate GameR ea i or Game 0 
to A. 

B randomly chooses a £ Zjy, then gives ^4 GPK = {N,g,h = g a ,X 3 }, 
D = {1,2,..., D}. K = {1,2,..., K}. the descriptions of U\, U 2 , ■ ■ ■, Uk, and the 
description of secure signature scheme S S i gn . 

For d = 1 to D, B generates sign key pair (SignKey,,. Verify Key,/) and randomly 
chooses ad £ Z n, then gives A CPK^ = e(g,g) ad and CAPK^ = VerifyKey d . 

For k = 1 to K, B randomly chooses {s a tt G Zjv|aff £ Uk] and {vk,d £ ^N\d £ O}, 
then gives A APK fc = {T att = g Satt \att £ U k } and ACPK fc = {14 ,d = g Vk ' d \d £ D}. 
A gives B the d* £ D and E c Cl where K \ K c f 0. Let D c = D \ {d*}. 

B gives A CMSKd = (ad, SignKey d ) for each d £ O c , and AMSK^ = ({s a tt\att £ 
Uk}, {vk,d\d G D}) for each k £ K c . 
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B responds _4’s key queries as follows: 

• A makes CKQ (gid, d*). B runs the normal CKeyGen algorithm, since it knows 
CMSK d .. 

• A makes AKQ(att, k, {ucpk gid d \d € O}) where (k € K \ K c ). B runs the 
normal AKeyGen algorithm, since it knows AMSK/, for each k £ K \ K, : . 

A sends two messages Mq and Mi and an LSSS matrix {A *, p) to B. To make the 
challenge ciphertext, B will implicitly set g s to be the G P1 part of T (we mean that 
T is the product of g s £ G P1 and possibly an element of G P2 ). B randomly chooses 
v 2 , ■ ■ ■, v' n £ Ztv to define a vector v' = (1, v' 2 ,..., v' n ) £ Z^, and for each row x of 
A* it randomly picks r' x £ Zjy. Then it chooses a random /3 £ {0,1} and sets 

D 

C = Mp ■ e(g ad ,T) , C' =T, 

d= 1 

{C x = T aA ^T- r '- s ^ , C' x = T< | x £ {1, 2 ,... /}} 

Note that this implicitly sets v = sv' and r x = sr x . Modulo p -\, this v is a random 
vector with first coordinate s and r x is a random value. 

If T £ G Pl (i.e., T = (/), this is a properly distributed normal ciphertext. 

If T £ G PiP2 , we let g 2 denote the G P2 part of T (i.e., T = g s g 2 ). We then have 
a semi-functional ciphertext with u = cav\^ x = ~cr' x , and z p ^ = s p ( x y While the 
values of a, v 2 ,..., v ' n , r' x , s p ^ modulo P 2 are uncorrelated from their values modulo 
Pi by the Chinese Remainder Theorem, this is a properly distributed semi-functional 
ciphertext. 

Hence, neglecting the probability that E s .; gn is broken, B can use the output of A to 
break Assumption 1 with advantage e. □ 
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Proof of Lemma 3.4.6. 

Proof. B is given G = (N,G,GT,e),g,XiX 2 ,X 3 ,Y 2 Y 3 ,T. It will simulate 
Gamej- 1,2 or Game, i to A. 

B randomly chooses a £ Zjy, then gives A GPK = {N, g, h = g a ,X 3 ], 
D = {1,2,..., D }, K = {1,2,..., A'}, the descriptions of U\, U 2 , ■ ■ ■, Uk , and the 
description of secure signature scheme E S j ffn . 

For d = 1 to D, B generates sign key pair (SignKey d , VerifyKey d ) and randomly 
chooses ad £ Zjv, then gives A CPK^ = e(g,g) ad and CAPK^ = VerifyKey^. 

For k = 1 to AT, B randomly chooses {s a tt £ Zi<r\att £ Uk} and {vk,d £ Zpj\d £ O}, 
then gives A APK k = {T att = g Satt \att £ U k } and ACPK fc = {V k ,d = g Vk ' d \d £ D}. 
A gives B the d* £ D and E c Cl where K \ K c 0. Let D c = D \ {d*}. 

B gives A CMSK<j = (a d , SignKey d ) for each d £ B c , and AMSKj, = ({s a tt\att £ 
Uk }, {vk,d\d £ B}) for each k £ K c . 

B responds LTs key queries as follows: 

• A makes CKQ (gid, d*). Assume it is the i th CKQ and the corresponding user- 
key will be USk g j, 2 ,d*> 

- If i < j, B randomly chooses r gid ,d * £ Z N ,R' gld ,d* e G P3 , {R gld}d *, k £ 
G P3 \k £ K}, and sets 

UCSk gi(M . = g a d* h r ° id ’ d * {Y 2 Y 3 ) r <> id ’ d * , L gid4 » = g r md.d- R! gid d ,, 
IW-.fc = Vffi* R g id, d *,k{k =1,2,... K ), 
agi d , d * = Sign(SignKey d « , gid\ \ d | \L g i d d * | |r g i d . d *,i 11 • ■ ■ 11 L g i d , d *, k)• 

(3.8) 


Let ucpk ffid — (gid, d ^L g i dd *j}P g i d , d *,k I ^ £ X} 7 cr g i d d *} 7 

B answers A with (ucskgi^., ucpk gid d »). Note that the values 
of r g id, d * modulo p 2 and p 3 are uncorrelated to its value modulo 
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p i, (ucsk g ; djd », ucpk gid ) is properly distributed semi-functional user- 
central-key of type 2. 

- If z > j, B runs the normal CKeyGen algorithm, since it knows CMSK d ». 

- If i = j , B implicitly sets g r aid,d» equal to the G Pl part of T. B randomly 
chooses Rgid,d*,R'gid,d * e Gp 3 i{Rgid,d\k G G P3 \k £ K}, and sets 

UCSk,,,;,/ ,,. — g d T Rgid,d * j Rgid,d* ~ RRgid,d* ' 

r gi d,d*,fe = R g id,d*,k{k = 1,2,..., A"), 

&gid,d* Sign(SignKey d », |c? ||L g ^ d)d * I|r g ?'d,d*,i11... ||r g .j dd *, rr) ■ 

(3.9) 

Let ucpk gid d » (5*d, d jLgid,d*^\_^gid,d*,k \ k £ IK}, &gid,d *), B an¬ 
swers A with (ucsk flid)d .,ucpk gid)d ,). 

If T £ G PlP3 , (ucsk S j djd ., ucpk gid d ,) is properly distributed normal user- 
central-key . 

If T £ G, (ucsk,, ucpk gjd d ,) is properly distributed semi-functional 
user-central-key of type 1. In this case, we have implicitly set Wk,d* = 
Vk,d* ■ If we let 52 denote the G P2 part of T, we have that 8 — ba modulo 
P 2 , i-e„ the G P2 part of UCSk gid)d . is g b 2 a , the G P2 part of L gid ^ is g\, and 
the G P2 part of r gidd * *. is g b 2 k ' d *. Note that the value of Ufc ;d * modulo p 2 
is uncorrelated from the value of Ufc.d* modulo p \. 

• A makes AKQ(att, k. {ucpk gidd |<i € D}) where (k £ K \ K c ). B responds A 
as in the real security game by running the normal AKeyGen algorithm, since it 
knows AMSKfc for each k £ IK \ K c . 

On the uask att , gidjd ., the corresponding ucpk gid d , must be the answer that A 
gets from B by making CKQ because of the signature verification (3.1). Assume 
the corresponding CKQ is i th CKQ, we have 
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- If * < j, 


U3Sk att,gid.,d* (r gid,d* ,k) att ^ k ' d R a tt,gid,d * 

_ /T r r gid,d* p \Satt/vk,d * P' 

— \ v k,d* ktgid,d*,k) n att,gid,d* 

By r g j<j,d*,k in (3.8) 

_ rp r gid,d* p 

~ ± att I *'att,gid,d* • 

It is properly distributed semi-functional of type 2. Note the corresponding 
(ucsk g id,d*i ucp W gid d ») is properly distributed semi-functional of type 2, 
we have usk g(d d . as a semi-functional user-key of type 2. 

- If i > j, note that the corresponding (ucsk g , d , ucpk 9?;d d ») is generated 
by running the normal CKeyGen algorithm, we have USk g , d d . as a normal 
user-key. 

- If i = j, 


uask att) gjd !d » — (r g id,d*,fc) att ^ k,d R a tt,gid,d* 

— ( r p v k,d.» p .. ,, , y*tt/v k 'd* p' 

V J •** gtd,d*,k) It att,gid,d* 

By r sidjd ., fc in (3.9) 

_ T Satt Ratt gid d* . 

If T £ G p lP3 , uask att.gid.d* is a properly distributed normal, where g r s id ’ d * 
equals to the G Pl part of T. Note that the corresponding (ucsk 3 ,,/ ,/», 
ucpk ffid d ») is properly distributed normal, we have USk g i d d . as a normal 
user-key. 

If T £ G, uask a tt,gid,d* is a properly distributed semi-functional of type 
1. In this case, we have implicitly set z att = s a tt • The G P2 part of 
uask attj3 , ;djd . is g\ Satt , and the value of s ott modulo p 2 is uncorrelated 
from the value of s att modulo p-\ . Note that the corresponding (ucsk g j d d ., 
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ucpk gi(i ) is properly distributed semi-functional of type 1 , we have 
USkgjd d* as a semi-functional user-key of type 1 . 

A sends two messages M 0 and Mi and an LSSS matrix (A*, p) to B. To make 
the semi-functional challenge ciphertext, B implicitly sets g s = X 1 and g 2 = X 2 . It 
randomly chooses u 2 ,..., u n £ Z^ to define a vector u' = (a, u 2 , ..., u n ), and for 
each row x of A* it randomly picks r' x £ Z^- Then it chooses a random /3 £ {0,1} and 
sets 

D 

C = Mp \[ e^ 0 ", M 2 ) , C = X r X 2 , 

d=l 

{C x = (X 1 X 2 )^'“'(X 1 X 2 )-<- s ^) , C' x = {XiX 2 y* I X £ {1,2,...,/}}. 

Note that this implicitly sets v = sa -1 'u', u = cu', r x = sr' x , and 7 X = — cr' x . The 
values z p ( x j = s p ^ match those in the j th uskg,;^. if it is a semi-functional user-key 
of type 1 , as required. 

The challenge ciphertext and the usk 3 , ;£ ; ^ are almost properly distributed, except 
for the fact that the first coordinate of u (which equals ca) is correlated with the value 
of a modulo p 2 that also appears in UCSk, /IY / ,/- if it is semi-functional. In fact, if the 
USk g id,d- can be used to reconstruct e(g, g) ad * s , we would have c5 — bu\ = cba—bcci = 
0 modulo p 2 , so USk,is either normal or nominally semi-functional. We must argue 
that this is hidden to A, who cannot request any user-keys to reconstruct e{g, g ) ad * s and 
then decrypt the challenge ciphertext. 

To argue that the value being shared in G P2 in the challenge ciphertext is information 
theoretically hidden, we appeal to our restriction that attributes are only used once in 
labeling the rows of the matrix. Since S g id U (UfceK ^4) could not satisfy ( A*,p ), 
R = span{{A* c \p{x) £ S g id U (UfceK c d° es not include the vector (1, 0,..., 0). 
Then there exists a vector w such that w i = w ■ (1, 0,..., 0) ^ 0 and Vti} £ R,w ■ 
v* r = 0. We can write u = 9w + u" where 9 £ Zn and u" ^ w is distributed 
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uniformly random in R. We note that u" reveals no information about 6 and that v. \ = u- 
(1,0,..., 0) = 6w i + u" ■ (1, 0,..., 0) can not be determined from u" alone. However, 
the shares corresponding to rows whose attributes are in S g id U (UfcpK ^4) only reveal 
information about u" since Viv £ R,w ■ v r = 0. 

Ow appears only in the equations of the form A* ■ u + 'lx z p(x) where the attribute 
p(x) Sgid U (UfcgK Uk). While attributes are only used once in labeling the rows of 
the matrix, as long as each j x is not congruent to 0 modulo p 2 , each of these equations 
introduces a new unknown z p r x , that appears nowhere else, and thus no information 
about 6 can be learned by the adversary. The probability that any is congruent to 
0 modulo p 2 is negligible. Thus, the ciphertext and the key usk,are properly 
distributed in the adversary’s view with probability negligibly close to 1 . 

Thus, if T £ G PlP3 , B has properly simulated Game, 12 . and if T £ G and all the 
7 X = —cr' x values are non-zero modulo p 2 . then B has properly simulated Game, i. 
Neglecting the probability that Y. s , gn is broken, B can, therefore, use the output of A to 
gain advantage negligibly close to e against Assumption 2. □ 

Proof of Lemma 3.4.7. 

Proof. B is given G = (N, G , Gt, e),g, XiX 2 , X 3 , Y 2 Y 3 ,T. It will simulate Game, i 
or Game , 2 to A. 

B randomly chooses a £ Z]y, then gives A GPK = {N,g, h = g a ,X 3 }, as well 
as D = {1, 2,..., D}. IK = {1, 2,..., K}. the descriptions of U -\, U 2 ,..., Uk , and the 
description of secure signature scheme S S i gn . 

For d = 1 to D, B generates sign key pair (SignKey,,. VerifyKey,,) and randomly 
chooses ad £ Z n, then gives A CPK^ = e(g,g) ad and CAPK^ = VerifyKey d . 

For k = 1 to K, B randomly chooses {s a tt £ Zjv|aff £ Uk} and {vk,d £ Z N\d £ O}, 
then gives A APK k = {T att = g Satt \att £ U k } and ACPK fc = {V kxl = g Vk - d \d £ D}. 
A gives B the d* £ D and K c C K where K \ K c ^ 0. Let O c = D \ {d*}. 
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B gives A CMSK d = (a d , SignKey^) for each d G B c , and AMSKfc = ({s att \att G 
Uk},{vk,d\d G B}) for each k G K c . 

B responds GTs key queries as follows: 

• A makes CKQ (gid, d*). Assume it is the i th CKQ and the corresponding user- 
key will be USk g , ;djd ., 

- If i < j, B randomly chooses r gid ,d * G Z N ,R' gidtd , G G P3 , {R gid ,d*,k G 
G p 3 1 k G K), and sets 

ucsk flid)d . = g ad * h r ° id - d * (Y 2 Y 3 ) r s id ’ d * , L gidt d, = g rgid ’ d * R' gid , d ,, 

I" gid,d*,k = Vk°d* d Rgid,d*,k(k = 1,2,... K), 

& gid,d* = Sign(SignKey d „, gid\|d | \ L g i d ^ d * |\P g i d ,d *,1 11 • • ■ | gid,d* ,k\ 

(3.10) 


Let UCpk gi(W „ — (gid, d ,L g id,d*i\B g id,d*,k | k G IK), & gid,d *), 

B answers A with (ucsk g ; djd . , ucpk gid d , ). Note that the values 
of r g id^ d - modulo p 2 and p- d are uncorrelated to its value modulo 
pi, (ucsk gidjd ., ucpk gid d . ) is properly distributed semi-functional user- 
central-key of type 2. 

- If i, > j, B runs the normal CKeyGen algorithm, since it knows CMSK d .. 

- If i = j , B implicitly sets g r a id . d * equal to the G Pl part of T. B randomly 
chooses R g id,d* , R g id,d* ^ G P3 , {R g id,d*,k G G P3 \k G IK)- , t/ G and 
sets 

UCSk aidjd * = g ad * T a R gid , d * (Y 2 Y 3 ) v , L gid , d * = TFt! gid d », 
r g id,d*,k = T L ’ k ’ d * R g id,d*,k(k = 1, 2,..., K ), 

& gid,d* = Sign(SignKey d „, gid\\d* 11 L gid , d * | |r flid)d . ,i |1... ||r gid ,d\K)- 

(3.11) 
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Let UCpW gidd , — (gid,d > Lgid,d* i {^gid^d* ,k I k C i & gid,d* )> $ an- 

swers A with (ucsk gid , d -., ucpk gid d , ). 

If T G G PlP3 , (llCSk girfid ., ucpk girf d , ) is properly distributed semi¬ 
functional user-central-key of type 2. 

If T £ G, (ucsk g j, 2 ,d*, UCpk gid d ») is properly distributed semi-functional 
user-central-key of type 1. In this case, we have implicitly set Wk,d * = 
Vk,d*- If we let g\ denote the G P2 part of T and g| 2 = Y 2 , we have that 
6 = ba + 772/2 modulo p 2 - i.e., the G P2 part of UCSk g ; djd * is g b 2 a+VV2 , the 
G P2 part of L g , ;djd . is g\. and the G P2 part of T gid ,d*,k is g b 2 Vk ' d “ ■ Note that 
the value of modulo p> is uncorrelated from the value of i’k.d r modulo 
Pi- 

• A makes AKQ(aff, k, {ucpk gid d |d € D}) where (k £ K \ K c ). B responds A 
as in the real security game by running the normal AKeyGen algorithm, since it 
knows AMSKfc for each k £ IK \ K c . 

On the uasW at t,gid,d*, the corresponding ucpk gidd » must be the answer that A 
gets from B by making CKQ because of the signature verification (3.1). Assume 
the corresponding CKQ is i th CKQ, we have 

- If i < 3, 


UaSk aM)gidid » — (r g id,d*,k) att ! k,d R a tt,gid,a 


— (\/ r a id - d * D . , 'iSott/ffc.d* U' 

\*k,d* ^gid,d*,k) ^att,gid,d* 


By r gicM » )fe in (3.10) 


_ rj~\' gid,d* 

att 


R, 


att,gid,d* • 


It is properly distributed semi-functional of type 2. 

Note the corresponding (ucsk g ; dd ., ucpk gid d ,) is properly distributed 
semi-functional of type 2, we have USk g ; dd » as a semi-functional user-key 
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of type 2. 

- If i > j, note that the corresponding (ucsk^j^., UCpk, /Mi d ,) is generated 
by running the normal CKeyGen algorithm, we have USk, ; ,,/ f /. as a normal 
user-key. 

- If i = j. 


UaSk a tt,gid,d* — (T gid,d* ,k) k ' d R a tt.,gid,d* 

— TD \Satt / v k,d* O' 

— [1 It gid,d*,k) tt a tt,gid,d* 

By T g id,d*,k in (3.11) 

= T S ““ Ratted*. 

If T £ G PlP3 , uask att,gid,d* is properly distributed semi-functional of type 
2, where g r 9 id > d * equals to the G Pl part of T. Note that the corresponding 
(ucsk gidid », ucpk gid d , ) is properly distributed semi-functional of type 2, 
we have USk g ;d,d* as a semi-functional user-key of type 2. 

If T £ G, uask at ,t,gid,d* is properly distributed semi-functional of type 1. In 
this case, we have implicitly set z aM = s a tt- The G P2 part of uask a tt, g id,d* 
is g\ Satt , and the value of s att modulo p 2 is uncorrelated from the value 
of s a tt modulo pi. Note that the corresponding (ucsk^^d*, ucpk sidd ») 
is properly distributed semi-functional of type 1, we have usk, as a 
semi-functional user-key of type 1. 


A sends two messages Mo and Mi and an LSSS matrix ( A*, p) to B. To make 
the semi-functional challenge ciphertext, B implicitly sets g s = X\ and g‘ 2 = X 2 . It 
randomly chooses U 2 ,... ,u n £ 'Em to define a vector u' = (a, U 2 , • ■ •, u n ), and for 
each row x of A* it randomly picks r' x £ Then it chooses a random /3 £ {0,1} and 
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sets 

D 

C = Mp- e(g ad , X x X 2 ) , C' = X x X^ 

d—1 

{<7 x = (X 1 X 2 )^'“'(X 1 X 2 )-<- s P w , C' =(X!X 2 )< | a: G {1,2,...,/}} 

We note that this implicitly sets v = sa^w', u = cu ', r x = sr x and 7 X = —cr' x . The 
values z p ( X ) = s p ( x ) match those in the j th USk^^. if it is a semi-functional user-key 
of type 1, as required. 

The challenge ciphertext and the usk,are properly distributed because the G P2 
part of UCSkg jd d* is randomized by 77 . 

Thus, if T £ G p ip 3 , B has properly simulated Game, 2 , and if T £ G, B has 
properly simulated Game,,. Neglecting the probability that E s ,, y „ is broken, B can, 
therefore, use the output of A to gain advantage e against Assumption 2. □ 

Proof of Lemma 3.4.8. 

Proof. B is given G = (N, G, Gt, e), g, g a X 2 , X 3 , g s Y 2 , Z 2 , T. It will simulate 
Game,, 2 or Game Fina i to A. 

B randomly chooses a £ Z]y, then gives A GPK = {N, g, h = g a ,X 3 }, as well 
as D = {1, 2,..., D}. IK = {1, 2,, K}. the descriptions of U\, U 2 , • ■ •, Uk, and the 
description of secure signature scheme £ S i gn . B randomly chooses d! £ D. 

For d = 1 to D, B generates sign key pair (SignKey,,. VerifyKey,,). If d f d!, B 
randomly chooses ad £ 1-n and sets CPK c ; = e(g,g) ad , otherwise B sets CPK^ = 
e(g, g a X 2 ). B gives A CPK^ and CAPK^ = VerifyKey^. This implicitly sets = a. 
For k = 1 to K, B randomly chooses {s a tt G Zjv|af£ G U k } and {vk,d G Zpf\d £ O}, 
then gives A APK fc = {T att = g Satt \att £ U k } and ACPK fc = {14 ,d = g Vk ’ d \d £ D}. 
A gives B the d* £ D and K c C K where K \ K c 7 ^ 0. If d* d ', it means B 
guesses a wrong d*, B aborts. Note that the public parameters are properly distributed, 
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the probability B guesses the right b* is 

B gives A CMSKd = (ay, SignKey d ) for each d € O c = D \ {d*}, and AMSKfc = 
({ s a tt\att G U k },{vk,d\d G D}) for each k G K c . 

B responds A’s key queries as follows: 

• A makes CKQ(gzd, d*). Assume the corresponding user-key will be USk^y, 
B randomly chooses r sid y G Z n, Rgid.d*, R' gidid * G G P3 ,{R gidtd * tk G 
G P3 \k G K}, and sets 

ucskgyy = {g a X 2 )h r °' d ’ d * {Z 2 y° id - d * R gid ,d* , L gid>d , = g r » id ’ d * R' gidtd ,, 
B g id,d-,k = V^y ’ ,d R g id,d*,k(k = 1,2,... K), 

&gid,d* = Sign(SignKey d ,, gid\\d* \\L gid>d * | |r gid y ,i||... ||r gid yy). 

(3.12) 

Let ucpk gidd , (gid, d , Lgi d)d *, \T g i d ,d* ,k \ k G IK ]', &gid,d*'), B answers A 
with (ucskgidy, ucpk gid d ,). Note that the value of r g i d>d * modulo p 2 is un¬ 
correlated to its value modulo pi, (ucsk g yy, ucpk gid d „) is properly distributed 
semi-functional user-central-key of type 2. 

• A makes AKQ(atf, k, {ucpk gidd |d G D}) where (k G IK \ K c ). B responds A 
as in the real security game by running the normal AKeyGen algorithm, since it 
knows AMSK/; for each k G K\ K c . 

On the uask att.gid.d*, the corresponding ucpk gid d » must be the answer that A 
gets from B by making CKQ because of the signature verification (3.1). Then we 
have 

UaSk a tt,gid,d* = (r gid,d*,k) k ' d R a tt,gid,d* 

= Rgid,d*,k) s “ ttlv *’ d ' Ku,gid,d * By Tgid.d* in (3.12) 

_ rp r gid,d* /-> 

~ ± att 1 *'att,gid,d* • 
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It is properly distributed semi-functional of type 2. Note that the correspond¬ 
ing (ucskgid ^., ucpk 3id d ») is properly distributed semi-functional of type 2, we 
have USk g id,d* as a semi-functional user-key of type 2. 

A sends two messages Mo, Mi and an LSSS matrix (A*, p) to B. To make the semi¬ 
functional challenge ciphertext, B implicitly takes s from the assumption term g s Y> 
and sets g% = Y 2 . It randomly chooses u 2 ,... ,u n £ Zjy to define a vector u' = 
(a, u 2 , ■ ■ ■, u n ), and for each row x of A* it randomly picks r' x £ Zjy. Then it chooses 
a random /3 £ {0,1} and sets 

C = Mp ■ T ■ [] e(g,gr« s ,C' =g s Y 2 , 

d(zB),d^d* 

{C x = {g s Y 2 ) A ^\g s Y 2 )-^ s »^ , C' x = ( g s Y 2 )< \ x £ {1,2,... 1}}. 

We note that this implicitly sets v = sa _1 u', u = cu 1 , r x = sr' x and 'y x = —cr' x . 

If T = e(g,g) as , this is a properly distributed semi-functional ciphertext of the 
encryption of Mp. Otherwise, it is a properly distributed semi-functional ciphertext of 
the encryption of a random message in Gt■ Thus, neglecting the probability that Y, sign 
is broken, B can use the output of A to gain advantage ^ against Assumption 3. □ 

3.5 Interval Encryption Schemes 

A broadcast encryption (BE) scheme enables a broadcaster to choose a subset S 
of n users, who are listening to the broadcast channel, and encrypt a message for this 
subset. Any user in S is allowed to successfully decrypt the message. Even if all the 
users outside of S collude together, they can not obtain any useful information of the 
broadcast message. In the following, we also use r to represent the number of revoked 
users, i.e., r = n — \S\ where |is the size of S. Compared with a private key BE 
scheme [13,288], a public key broadcast encryption has the benefit that users are not 
required to pre-share any private information. Therefore, in this section, we mainly 
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focus on pubic key broadcast encryption. Three efficiency parameters of a BE scheme 
are of our major concern: the transmission cost, user storage, and the decryption time. 

The transmission cost of most current public key BE constructions will grow with 
the increase of the revocation number r. Naor et al. [221] presented a BE construction 
(NNL method) with an average ciphertext size of 1.38r and private key size 0(log 2 n). 
The private key size is further improved to 0(log 1+e n), 0 < e < 1 in the HS con¬ 
struction [134], where the ciphertext size blows up with a - factor. The private key 
size is further improved to O(logn) by Goodrich et al. [126]. Dodis and Fazio [101] 
presented a generic method (DF transformation) to transform the NNL method and HS 
construction into a public key broadcast system using hierarchical identity-based en¬ 
cryption (HIBE). The transmission overload remains unchanged and the private key 
consists of 0(log 2 rc) and 0(log 1+e n) HIBE node secret keys if DF transformation 
is instantiated with BBG HIBE [35], The security is reduced to standard Decisional 
BDHE assumption and the decryption time cost is 0(logn). The decryption time is 
then improved to constant by Liu and Teng [200]. However, their security is reduced to 
decisional BDH assumption in the random oracle model. Recently, Sahai and Waters 
proposed a BE system with a transmission cost linearly dependent on r and constant 
storage cost. However, the decryption cost is linearly dependent on r and the security is 
reduced to a complex assumption called g-MEBDH assumption. Actually, it has been 
pointed out [159] that at least a single key per revoked user should be included in the 
transmission cost and hence, r might be the lower bound of the transmission overload in 
any BE scheme with reasonable decryption computational and storage cost. Therefore, 
constructing a BE system with a transmission overload lower than r as well as reason¬ 
able user storage and computational cost is still an open problem, which is one of the 
major issues of this section. 

On the other hand, there are two major application scenarios [39] for BE: applica¬ 
tions where we broadcast large sets, namely sets of size n—r for r <C n and applications 
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where we broadcast small sets, namely sets of size | S'! <C n. Apparently, a BE system 
with a transmission cost dependent on r is not efficient when r grows, and especially 
it fails to be an optimal choice for the second kind of application where r is very close 
to n. Before BGW proposed their construction [39], the only suitable solution for the 
latter scenario is the trivial solution, i.e., encrypting the message under each recipient’s 
key. 

In order to construct a BE scheme suitable for arbitrary receiver sets, we need to 
break the barrier of r. BGW [39] proposed an elegant BE scheme with constant size 
ciphertext as the first attempt to solve this problem. Although the ciphertext and private 
key size of their construction is constant, the size of public keys is linearly dependent 
on n. The public key must be accessible to any decryptor, which implies a high storage 
cost of size 0(n). This makes their system unsuitable for the application scenario 
where users have only limited storage capability [240], Their underlying assumption 
is the standard Decisional BDHE assumption. Later, Delerablee [95] proposed a BE 
construction where the public key size depends on the maximum size of S while both 
ciphertext and private key remain constant size. However, this still does not serve as 
an efficient solution for applications where the receiver set is large, namely r <C n. 
The security of this construction is reduced to a complex assumption called GDHE 
assumption in the random oracle model. Besides, the decryption of both constructions 
is not efficient. The decryption cost of the BGW construction depends on n, and the 
decryption of Delerablee’s construction requires O( | S\) operations. 

In this section, we consider this problem from a brand-new angle and a more practi¬ 
cal point of view. The basic motivation comes from the following observation: in a BE 
system with n users, where each user is assigned with an index i £ [1, n\. The receiver 
set S can be regarded as a collection of k intervals. Considering the fact that the num¬ 
ber of intervals containing in S is always less than r + 1 and in the best cases k could 
even be much less than r, the system performance can be dramatically increased if the 
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transmission overhead of the BE system is only determined by the interval number k 
while irrelevant of r. In this study, we will use more detailed performance analysis and 
simulation to show that a BE construction based on k is always more efficient than the 
previous scheme dependent on r, and suitable for more cases in practice. 

In order to realize a BE system with a transmission overload dependent on k, we 
propose a new type of encryption called interval encryption. In interval encryption, a 
message is encrypted under a collection of natural intervals S = Uj=i NIj, where NIj 
is a natural interval in [l,n]. Each receiver is identified by a unique natural number 
i £ [1, n\ and assigned with the respective private key. The decryption is successful if 
and only if the natural number i belongs to S. 

We present a generic methodology which can transform a series of binary tree en¬ 
cryptions into interval encryptions. We illustrate the basic methodology using the BBG 
HIBE scheme [35]. The construction achieves a ciphertext size of O(k), and 0(\ogn) 
private storage. The decryption is dominated by at most 0(log n) group operations. The 
security is reduced to the Decisional BDHE assumption. We note that one of the best 
public key BE schemes under this assumption is the DF transformation of the HS con¬ 
struction which requires a transmission cost of 0(r/e ) size and the private key consists 
of 0(log 1+e n) HIBE node secret keys, where 0 < e < 1. 

We also apply our basic methodology to the fully secure HIBE [182] scheme pro¬ 
posed by Lewko and Waters to present an adaptively secure interval encryption scheme. 
Gentry and Waters [123] proposed the first adaptively secure BE scheme under a com¬ 
plex bilinear assumption. The public parameter size of their construction is of ©(IS 1 1). 
The private key size is constant, and the ciphertext size of their construction is of 
0(max\S\). Later, Waters [290] gave the first short ciphertext adaptively secure BE 
system under static (i.e. non (/-based) assumptions. However, both of the public pa¬ 
rameter and private key size are linearly dependent on n. The public parameter of our 
construction is of size 0( logtt) and the ciphertext size is of 0(k). It only requires 
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Of log n) private storage. In other words, our construction serves as one of the most ef¬ 
ficient adaptively secure BE systems. Besides, our construction also reduces its security 
to static assumptions. 

Since we consider the proposal of this new concept and the corresponding method¬ 
ology of one of our major contributions, an inclusive extended interval encryption is 
proposed as another illustration of the power of our basic methodology. A message is 
encrypted under a collection of intervals S = Uj=i NIj i n this extended construction. 
A user’s private key corresponds to a certain interval NI U . The decryption is successful 
if and only if there’s at least one interval NIj,j £ [1, k] such that NI^ C NIj. The 
construction also provides user with delegation capability. We also discuss several in¬ 
teresting applications of interval encryption. In particular, we propose a useful concept 
of range attribute-based encryption and present an efficient construction from interval 
encryption. 

3.5.1 Definitions 

Assumptions. Bilinear maps [223] are crucial for our construction. A pairing is an 
efficiently computable, nondegenerate function, e : Gi x Gi —> G 2 , with the bilinearity 
property that e(g r ,g s ) = e(g,g) rs . Here, Gi, and G 2 are all multiplicative groups of 
prime order p. respectively, generated by g and e(g. g). 

The security proof of our constructions relies on the Decisional d + 1 BDHE as¬ 
sumption, which can be stated as [47]: Given a tuple [h, g, g a , g( a \ ■■■, g a , 
g( a + g( a \ Z] £ G^ d+1 x G 2 for a random exponent a £ Z p , decide whether 

Z = e(g,hr d+ \ 

Notations. We inherit most notations from the underlying BTE and FSE [62] con¬ 
struction. Recall that d denotes the depth of the tree, and n = 2 d is the number of 
leaf nodes. We set the root node to be e by convention. The other nodes on the tree 
have an associated name chosen from {0, 1 }- d . The left child of a node is concatenated 
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with 0, and the right child is concatenated with 1. Therefore, each leaf node will also 
have an associated binary name [coiu >2 ■ ■ • ood\- We also let a natural number co £ [1, n] 
associated with the w-th leaf node of the binary tree (starting from left to right). We 
implicitly let co = [ 0 J 1002 ■ ■ • cod] in the remainder of this section. The /-bit prefix of a 
string co = [co\C 02 • • • cod] is denoted by co\j , namely co\j=[coiU )2 • • • cJj\. We implicitly set 
w|o = £andw|d = co. It is easy to observe that a set of nodes co\j,j £ [l,d] corresponds 
to the nodes on the path from the root to the leaf node co (see Figure 3.11. (b)). Besides, 
we use w|j ;(RS) or td|j i(LS) to denote the right or left sibling of co\j, respectively, if ui\j has 
such a sibling. Namely, w|j >(RS ) = [co\UJ 2 • • • C 0 j- 1 1] or w|j i(LS) = [W 1 W 2 • • • cjj- 10]. 

Generally, our BE system consists of two parallel BTE systems: the right BTE 
system and the left BTE system. The right BTE system covers all the leaf nodes in the 
interval [ co,n \ and the left BTE system covers all the leaf nodes in the interval [1, u)\. 
User co is assigned with a unique right master key and a left master key. All the node 
secret keys or private keys for u> in the right BTE system are derived from the right 
master key and in the left BTE system are derived from the left master key. We use two 
different subindexes (L) or (R) in the notations of all these keys to distinguish the left 
or right BTE system they correspond to respectively. 

3.5.2 Security Models 

Our construction is a key encapsulation mechanism (KEM) 7 , thus long messages 
can be encrypted under a short symmetric key. An interval encryption scheme is made 
up of four randomized algorithms: 

Setup (n): Take as input a natural interval [1, n\. It outputs a public key PK and the 
system master key SK e . 

PvkGen(w, SK e ): Take as input a natural number co £ [1, n] and the system master 

7 We adopt KEM for the ease of comparison since all the BE constructions in the literature employ the 
same mechanism. 
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key SK e . It outputs a private key D u . 

Encrypt(5, PK): Take as input a public key PK, and a A'- wise natural interval set 
S = UjU NIj where NIj = [lj,Vj] satisfying 1 < h < r\ < I 2 < V 2 • • ■ < h < 
Tk < n. For j £ [1, k], it outputs k pairs {Hdr,, Kj}. We call Hdr = {Hdrj}j =1 the 
header and I\ = {Kj}j = i the message encryption keys. 

Let M be a message that should be decipherable precisely by the receivers holding 
the private key corresponding tow € S. For j £ [1, k], let C :j be the encryption of M 
under the message encryption key Kj. Let Cm be the collection of these encryption, 
namely Cm = {Cj}j_ i- The whole ciphertext consists of (S, Hdr, Cm)- 

Decrypt (S. uj. 1)^. Hdr, PK): Take as input a fc-wise natural interval set S = 
Uj=i ^ I j anc l the private key D u for a natural number oj £ [1, n], a header Hdr, a 
public key PK. If w £ NIj , 1 < j < k, the algorithm outputs the corresponding 
message encryption key Kj £ /C. 

The system is considered correct, if for all fc-wise natural interval sets S = 
Uj=i NIj an d natural numbers ui £ NIj (where j £ [1, k]), if 

PK Setup(n), D u <-■ PvkGen(w, SK e ), (Hdr, K) <--- Encrypt(S', PK), 

then Decrypt (S', w, D u , Hdr. PK)=K :r The concept of interval encryption is close 
to private linear BE (PLBE) mentioned in [42], and can be viewed as an extension of 
PLBE. 

Semantic Security(IND-sI-CPA): The selective interval game is very similar to that 
of BE [95], and it forms as follow: 

Init The adversary outputs a fc-wise natural interval set S* = Uj-i NT*, where 
NI* = [l*,r*j] satisfying 1 < l\ < r\ < 1% < r% - ■ ■ < 1% < r% < n, which it wishes 
to attack. 

Setup The challenger runs Setup(n) to obtain a public key PK for the adversary. 

Phase 1 The adversary issues query for private key of w ^ S*. 
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Challenge The challenger runs algorithm Encrypt to obtain (Hdr. K) £— 
Encrypt (S*, PK) where K £ K, k . Next, the challenger picks a random /? £ {0,1}. 
It sets K* = K if /3 = 1 and sets K* to a random string of length equal to \K\ other¬ 
wise. It then sends Hdr*, K* to the adversary. 

Phase 2 Same as phase 1. 

Guess The adversary outputs its guess /3' £ {0,1} for 6 and wins the game if 

P'=P. 

The adversary’s advantage is the absolute value of the difference between its success 
probability and |. 

Definition 3.5.1. An interval encryption scheme is selective-interval chosen plaintext 
secure (IND-sI-CPA) if all polynomial time adversaries have at most a negligible ad¬ 
vantage in winning the above security game. 

The adaptive CPA security can be defined in a similar way except that there is no 
Init stage in the adaptive game and the challenge interval S* in the Challenge stage 
should be provided under the restriction that none of the identities ui for the key queries 
of Phase 1 and Phase 2 belongs to S*, i.e., w ^ S*. 

The ultimate security goal is to realize IND-CCA security where the adversary 
doesn’t need to choose the interval set at the beginning and is provided with a decryption 
oracle. However, we only concentrate on IND-sI-CPA security. 

3.5.3 Binary Tree Encryption and Forward Secure Encryption 

The concept of binary tree encryption (BTE) was first proposed by Canetti, et 
al [64]. BTE is a relaxation of hierarchical identity-based encryption (HIBE) [122], 
As in HIBE, a “master” public key PK is associated with a binary tree in BTE; each 
node uj in this tree has a corresponding secret key SK U . To encrypt a message “tar¬ 
geted" for some node, one uses both PK and the name of the target node; the resulting 
ciphertext can then be decrypted using the secret key of the target node. Moreover, as 
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in HIBE the secret key of any node can be employed to derive the secret keys for the 
children of that node. The only difference between HIBE and BTE is that the latter 
insists on a binai'y tree, where each non-leaf node only has two child nodes. 

Technically speaking, forward secure encryption (FSE) is an elegant application of 
BTE. Let the depth of a binary tree be d which implies it has n = 2 d leaf nodes. In 
a FSE scheme, the lifetime of a system is divided into n = 2 d time periods, each of 
which is associated with a unique leaf node of the tree. A user holding a private key for 
time period c o can open all the messages encrypted under the subsequent time periods, 
namely uj' £ [w,n]. The private key D u in the FSE construction contains the node 
secret keys SK U for the leaf node u> as well as node secret keys for the right siblings 
of the nodes on the path from the root to node w, where all these node secret keys 
come from the underlying BTE scheme. To encrypt a message for a certain period a/, 
one uses both PK and the name of respective leaf node w' as in the BTE scheme; the 
resulting ciphertext can then be decrypted using node secret key SK u i, which is also 
similar to the BTE scheme. As shown in Figure 3.11. (a), a private key D 2 containing 
the node secret keys SK^, SK C , and SKb can be used to derive all the node secret keys 
for leaf nodes falling into the interval [2, 8 ]. Therefore, D 2 can be used to open all the 
messages encrypted under time periods in the interval [ 2 , 8 ]. 

Indeed, FSE can be viewed as a special case of interval encryption. As shown in 
Figure 3.11. (a), if we use ciphertext C 4 encrypted under leaf node 4 to represent the 
interval [1,4], then only the private key for time period w £ [1,4] can be used to open the 
message, e.g., IJ 2 could be used for the decryption of G\ because SK 4 can be derived 
from SK C , which belongs to D 2 . However, Dr, cannot be used for decrypting C 4 as it 
is impossible to deduce S K \ from any node secret keys included in D 5 . 

In the remainder of this section, we use a right direction arrow from a certain leaf 
node (or the corresponding index in the axis) to denote this particular private key dis¬ 
tribution mode. A right direction arrow from a leaf node uj means that all the node 
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L> = " S ,(R) = 

Left BTE system-Right BTE system -► 



Figure 3.11: (a). The key distribution mode of forward secure encryption, C 4 represents 
the interval [ 1 ,4], and the private key for a user to can be used to derive the node secret 
keys for all the nodes in the interval [w, n] (b). Key distribution mode of interval encryp¬ 
tion: we let ui = 5 here. The respective private key D$ contains left private key/.)- K(Lj 
and right private key Z? 5i(R) . D \ 5i(L) = {SK 5 (L) , SK 5 ^ (LS)j(L ,} which are derived from left 
master key a - a 5 . Similarly, we have D 5 , (R) = {SK 5 , m , SK 5 \ 2 (fisHR) , S'^5| 3 , (RS) , (R) } 
derived from right master key 0 : 5 . Let the left bound // of an interval be 2 here, then 
SK 2 , a.) can be derived from SK 2 \ 1 ^ L) which is equal to SK 5 ^ )|(L) belonging to 


secret keys of the leaf nodes in the interval \ui. n] are computable from its own private 
key. Therefore, this private key can be used to open all the message encrypted under 
these nodes. Besides, we also use a left direction arrow from a leaf node oj to denote 
an opposite decryption ability, namely the respective private key can be used to open 
all the messages encrypted under the leaf nodes in the interval [1, oj]. It is feasible by 
simply assigning a user with the node secret keys for node lj as well as node secret keys 
for the left siblings of all the nodes on the path from the root to u>. Generally, the FSE 
construction is treated as a special interval encryption scheme in which the encryptor 
can set the interval form as [1, j]. The upper bound j depends on which leaf node the 
ciphertext corresponds to. Now, our goal is to realize an interval encryption scheme 
covering multiple intervals, each of which has two freely chosen bounds determined by 
the encryptor. 
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3.5.4 A Generic Transformation from BTE to Interval Encryption 

Trivial Constructions: A trivial interval encryption scheme can be given directly 
from attribute-based encryption [129] if one treats log n bits to represent a number from 
1 to n as attributes and builds an access tree allowing specific intervals. However, even 
the most efficient trivial methodology would inevitably result in an interval encryption 
construction with a ciphertext size of O(fclogn), where k is the number of intervals. 
As we have mentioned, our goal is to realize a BE system in which the ciphertext size 
is determined by the number of intervals k. If all the messages are only encrypted 
under the bounds of each interval like in the FSE scheme, then this goal is 
reachable. However, it is still a challenge for us to make sure that only those with an 
index within two bounds of each interval can open the message. 

A Generic Transformation from BTE to Interval Encryption: There are some 
difficulties in the transformation from BTE to interval encryption. The first difficulty 
is how to differentiate the decryption ability of an index in and outside of an interval. 
Taking the interval [3, 6] shown in Figure 3.12.(a), for instance, we could easily find 
the required difference if we project two opposite direction arrows from each index in 
the axis, where the connotation of the arrows can be found in our exposition of the last 
paragraph in Section 3.5.3. The key observation of our transformation is that: the two 
opposite direction arrows starting from index 5 can cross both bounds 3 and 
6 , respectively , and therefore decrypt the corresponding partial ciphertext in 
two different manners (We will show how to differentiate the partial decryption 
from two different directions, and how this will eventually lead to successful genera¬ 
tion of the corresponding message encryption key in the sequel). However, only one 
unique direction arrow from, index 2 or 1 can cross the two bounds, i.e., only 
the right direction arrow from index 2 can cross 3 and 6 while only the left 
direction arrow from index 7 can cross 3 and 6. This implies that those outside 
of an interval can only decrypt the partial ciphertext in a unique manner. The 
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Figure 3.12: Collusion and its prevention 


private key for right direction arrow is called right private key in the concrete construc¬ 
tion and the one for left direction arrow is left private key. 

The master key of the underlying BTE or HIBE scheme only contains one group 
element. The message encryption key for each interval corresponds to a • 7 in the 
exponent of a pairing, where a is the system master key and 7 is randomly chosen by 
the encryptor. For each user ui, we choose a random number a u and split the master 
key a into two parts: one is the right master key a u , which serves as the root master 
key for the right BTE system, from which the right private key of u> is derived; 

the other one is the left master key a — a u , i.e., the root master key for the left BTE 
system, from which the left private key D u , )(L) of u> is derived. Note that the two private 
keys for u can be distributed similarly to the FSE scheme as shown in Figure 3.11. (b). 
Consequently, a partial decryption using the user’s right private key contains a u ■ 7 in 
the exponent of a pairing while a partial decryption using the left private key will have 
(a — aoj) ■ 7 in its exponent. Then, the message encryption key containing a ■ 7 in its 
exponent will be recovered since a = a u + a — a u holds. 

In this way, we can actually prevent a possible collusion attack called two-user col¬ 
lusion. For example (shown in Figure 3.12. (a), a user oj = 7 with a left private key 
D 7 (i ) (which could decrypt the partial ciphertext C3) and a user ui = 2 with right pri¬ 
vate key -D 2 j( r) (which can decrypt the partial ciphertext (%,) might collude to open the 
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message for interval [3, 6 ] (since they can also complete the partial decryption in two 
different manners) although neither of them is in this particular interval. In our system, 
the partial decryption from D~j^ u will contain (ct — a?) • 7 while the partial decryption 
from D-j.'k, contains a 2 -7 in its exponents, and hence the collusion will fail since there’s 
no way for them to obtain a ■ 7 in the final step. 


Besides, the encryptor is required to use a unique random 7 j while generating the 
ciphertext for each interval NIj. This aims to prevent another attack called a single- 
user collusion. This attack only occurs in the scenario with multiple intervals (where 
k > 1). For instance (shown in Figure 3.12. (b)), in an interval encryption system 
with two intervals [3,4] (J[ 6 , 8 ], the partial decryption on C3 from the left private key 
Z ?5 (L) contains a — 07 and the partial decryption on C ' 8 from the right private key D 5 m 
contains the other half randomness 07, the message encryption key corresponding to 
a ■ 7 might be recovered if these two intervals use the same randomness. However, 
a unique randomness for each interval can guarantee that only a user within a certain 
interval can successfully open the message. For example (as shown in Figure 3.12.(b)), a 
random 71 is used in the ciphertext for interval [C3, C4] and 72 is used in the encryption 
for interval [Cq, £g]. The message encryption keys of these two intervals correspond to 
a ■ 71 and a ■ 72, respectively. A single-user collusion fails since the randomized partial 
decryption (a — 07)71 and 0572 will not generate a meaningful encryption key in the 
final step (see Figure 3.12. b.). 


The proposed methodology might not be generic, since it somehow relies on the 
property of bilinear mapping. Therefore, we only illustrate our methodology using 
concrete examples rather than providing a formal description of a generic interval en¬ 
cryption system in the following subsections. 
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3.5.5 Basic Construction: A Concrete Instantiation Based on HIBE 

In this subsection, we will describe how the proposed methodology can be applied to 
the HIBE (viewed as a binary tree encryption scheme here) construction [35] to propose 
an interval encryption scheme. Note that there is an additional algorithm DeckeyDer 
(D^ = Du ,( r) }, (, V) compared with the original definition of interval encryp¬ 

tion in Section 3.5.2. This algorithm is a preliminary step for the decryption algorithm, 
and we treat it as an independent algorithm for clarity. Besides, there is an additional 
slight technical modification to the underlying BTE construction in the sense that we 
basically have two concrete instantiations of a hash function to guarantee that we could 
cover both the two bounds of each interval in the security proof. 

Let Gi be a bilinear group of prime order p, and let g be a generator of G-|. In 
addition, let e : Gi x Gi -> G 2 denote the bilinear map. A security parameter, k, 
will determine the size of the groups. Assume the system accommodates n = 2 d users, 
where d is an integer. 

Setu p(n): Select a random a £ Z p and set (j\ = g a . Choose random elements g -2 , 
£/3,(L)> !?3,(R)5 * * * 1 hd,(,L)-> * * *, hd,( r) from Gi. 

The public key is PR = (p, pi, P 2 , gs,^ 9s, (r^ ^i,(L)j * > ^tt,( l)> ^i,(R)> * > hd,( rj)* 

For a binary string v = [V 1 V 2 • ■ • Vj] where j £ [1, d], define two publicly computable 
functions as: F (U {v) = g 3m • JlLi and F w( v ) = 53 , ( r> • TlLi Kw The s y stem 
master key is SK e = pj . 

PvkGen(w, SK e ): For receiver ui = [W 1 W 2 ■ ■ • which is associated with the w-th 
leaf node (starting from left to right), the algorithm first chooses a random number a w . 
The right master key for u> is S7v £;(RI =p2 “, and the left master key is S7v £;(LI =p2 _a “. 
The algorithm first generates two node secret keys SKu, ( R>=[g2'“ (-F] R )(w)) r ’“, p r “] and 
<S'^w,(L)=[ff 2 _a “(-^L)( w )) r “’ p r “] f° r l ea f node co where is a random number from 
Z p . For all the nodes cj\ j,j = 1, • • • , d on the path from the root to the leaf node up if 
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it has a right sibling w|j,(RS)=[wiW 2 • • • ojj-il], the algorithm uses the right master key 
to generate the respective node secret key as SK U \. (RS) , (R) =[52'" , 9 rj , 


'■j r 1,IR>> 


•, h d 3 J where rj is also a random number; otherwise the algorithm uses the 


left master key to generate node secret key for its left sibling cc| j )(LS) =[ojicC 2 ■ • • u>j- 1 0] 
as SK u \.^=lg%-<*" (F (L) (cu| j;<LS) )) r ^ 9 r *, h r JJ. 


Output private key D„ = { D D W)(L) }, where 


^u,(R) — {‘S^ui, (R) > ‘S'-fi r ai|j,( R s ) , (R) }je[l,d]) — {'5 -^u;,(L)> 1 3j(L si,(L)}JS[ l,d] ■ 


Encrypt!5, PA"): The encryptor first chooses a /.'-wise natural interval set S = 
U*U iV/j, where A"/. ; = [lj,rj\. For each interval, pick 7 j uniformly from Z p at 
random. Let the binary name of the corresponding leaf nodes for the two bounds be 

r j ~ [ r jl ‘ ‘ ‘ r jd] and lj = fel ‘ ‘ ‘ Ijd]- 

Output the respective ciphertext Ci ={g lj , (F„ ) (lj)y ^} and ={< 7 7 L (P (R) (rj)) 73 '}. 
Set the message encryption key for each interval NIj as Kj=e(gi, 52 )^ G G 2 . The 
collection of these partial ciphertexts constitute the header Hdr={C) j , C r }^ =1 - 

DeckeyDer (D u = {P Wi(L) , P W (R) }, 77 ): This algorithm derives the node secret 

key SK., ha:> for the lower bound 77 , and S Ky, K for the upper bound £. 

1 . Let a natural number 77 < u> denote the 77-th leaf node, and thus 77 is on the left of 
u) in the binary tree. Assume the binary representation of 77 is ?/ = 771 • • • ?/,/. There must 
exist a node secret key SK v \ . ^,j G [ 1 , d] which belongs to D W>(L) (as shown in Figure 
3 . 11 . b.). Run the derivation algorithm of the underlying BTE scheme iteratively, which 
means the following steps need to be executed iteratively for i = j to i = d — 1: 

(a) Let 77 1? = Vi-'-Vi- Parse SK^.^ as (g% (F (L >(77|i)) r *, g r \ /i^ 1;(L) , •••, 

h Z L))=( a 0’ “r.^i+i. 

(b) Choose random t G Z p , and output SK v i ;(L) = (ao • • (P (L) (r 7 |j + i)) t , a\ ■ 

g\b i+2 ■ h\ + 2 i(L) ,• • • M'Ki) and set i = i + 1. 
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Finally, it will output a node secret key SK Vt(f j=\g% a “ (F IL) (r])) r , g r ] for the lower 
bound 77 . 

2. Let a natural number £ > w denote the £th leaf node. Assume the binary repre¬ 
sentation of £ is £ = Cl''' C d- Therefore, there must exist a node secret key SK^. (R) 
which belongs to D Wj(R) . Run the derivation algorithm of the underlying BTE scheme 
iteratively, which means steps 1 (a)- 1 (b) need to be executed iteratively. 

Output a node secret key SK£ t(R) =[g% " (-F] R) (£)) r , g r ] for the upper bound £. 


Decrypt (S, w, Hdr, Piv): If w € NIj = [lj,rj], 1 < j < k which implies 
that lj < oj < Vj , then it runs DeckeyDer (D u ,rj,lj) to generate decryption key 
SK r |R) and ,3'A£ . (L) . It obtains the corresponding secret key SK rj j(R )=[.g 2 “ (F, Rl ('rj)) r , 


g r } and the partial ciphertext for the upper bound C r . ={g 7j , (F (Rl (rj)y >:i }. Com¬ 
pute ^ = e(g, g 2 )' y * a “. It also obtains the corresponding secret 

key SKi., t =[g2^ a ' JJ {F, l) (lj)) r , g r ] and the partial ciphertext for the lower bound 
Ci={g lj , {Fv(lj))V}. Compute elg '? r ’ 9 J 1 = e(g, g 2 )' 1jia ~ a ^ ■ Finally, 


it computes e(g, g 2 ) liC 


e[ 9 r ', Wo u(L)FL 
e(g, g 2 ) 7 t (a_ ““ ) = e(g a , g 2 )^ = e(g u g 2 ) 7 L 


3.5.6 Discussion on Efficiency and Security 

In this construction, the public key size is Cl (log n), and the private key only con¬ 
tains Cl (log n) BTE node secret keys. Note that the private key in the DF trans¬ 
formation [101] of the NNL method or the HS construction contains O(log 2 n) or 
O(log 1+e n) node secret keys, respectively. It is important to point out that a widely 
used tool, updatable public storage in the FSE scheme [35] , can also be adopted in our 
proposed interval encryption system to limit the cost of private storage to O (log n). The 
above efficiency parameters can be further improved if the random oracle is adopted, 
i.e., the public key size can be reduced to 0 ( 1 ) in this case. 
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The decryption cost is dominated by the derivation of the two node secret keys. 
The derivation cost can be reduced to O(logn) by doing the following computation: 
in order to deduce the node secret key SK r) ^ ] =[g^~ au ‘■ (F iu (r])) r , g r ]=(a' 0 , a[) from 

SK v u, ( u=( 92 ~ a "( F UvU )) ri > 9 ri > K+ i )(L ,> ' •' > h Z l,)=(°o> a i> 6 i+i> • • •. M- we can 
compute a' 0 = ao ■ IIfc=i+i b 1 k ■ (F (L) (ry)) t , a! x = a\ ■ g l where we set r' = ri + t. 
We can deduce the node secret key SK^ (R) from SK^. {R) in a similar way. The overall 
decryption time is then reduced to Of log n) since the rest of the decryption procedure 
only requires a constant number of group operations. 

Why is 0(k) better: A system with a transmission overhead proportional to k is 
more efficient than the traditional systems, especially the system where communication 
load is linearly dependent on r such as the revocation system [240,303]. To illustrate, 
we compare the performance of both systems in presence of different values for r as 
well as k. We assume that the total node number n is set to 2 17 = 131072 and let r 
increase from 1 to n. For a specific r, we randomly generate 1000 revoked sets, which 
correspond to 1000 different interval number k, and thus obtain an average interval 
number k as well as the average transmission overhead of the proposed scheme, which 
has been shown in Figure 3.13. From Figure 3.13, it is observed that, when the revoca¬ 
tion set is small, the performance of the proposed scheme is very close to the tradition 
systems. However the difference will be scaled up along with the increase of r. If the 
revoked set number exceeds 50% of the total number, the communication load of the 
proposed scheme will decrease with increase of r. It is also observed that the proposed 
scheme can achieve the best performance if r is very large, which further demonstrates 
that the proposed scheme is suitable for cases when a small receiver set is employed. 
Compared with the BGW generalized construction [39] with a yfn size transmission 
overload which only serves as a better choice than the trivial solution and the traditional 
systems when r > y/n, we have a benefit that our system keeps the advantage over the 
traditional constructions when r is a small number, namely r <C n. 
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Figure 3.13: Comparison between k and r 


From the above results, it is concluded that the proposed construction fits into more 
cases than the traditional systems which are dependent on r, and therefore constitutes a 
more favorable choice in practice. 

The selective security of the proposed construction can be proven secure under the 
(d + 1)-BDHE assumption, and it is stated as follows. We omit the concrete proof here. 

Theorem 3.5.2. If the Decisional (d + 1 )-BDHE assumption holds in Gi, G 2 , the pro¬ 
posed inten’al encryption scheme is selective chosen plaintext secure. 

3.5.7 Extension Work 

Inclusive Extended Interval Encryption: An inclusive extended interval encryp¬ 
tion scheme deals with the scenario where the message is encrypted under a collection 
of intervals S = Uj=i \hHj\- and the private key D u of a user u> corresponds to an 
interval [l^., r w ]. The decryption is successful if at least one interval [lj,rj],j £ [1, k] 
exists such that [l u , r u ] C [f ,rj]. To generate a private key corresponding to an interval 
\l u ,r u \ (see Figure 3.14), we simply generate a left private key Di^^ corresponding 
to the lower bound l u using the left master key a: a u as in the basic construction. 
Similarly, we generate a right private key Z) rw;(R) for the upper bound using the right 
master key a u . The rest of the above algorithms have no significant differences from 
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Figure 3.14: Extended Interval Encryption: The generation of a private key for an inter¬ 
val [4, 5] 


those in the basic construction. Furthermore, it is easy to observe that a man hold¬ 
ing a private key for an interval [l u , rj[ can delegate a private key for another interval 
[Z w ',?v] using the DeckeyDer algorithm as long as [l u ,r u ] C [l u >,r u >]. This is a 
property somewhat close to a recently proposed concept called inclusive identity-based 
encryption (IBE) [40]. We consider this extended construction of important theoretical 
interest because few inclusive constructions exist [120] since the proposal of inclusive 
IBE. 

Adaptively Secure Interval Encryption: An adaptively secure interval encryption 
is constructed from Lewko and Waters’ HIBE construction [182], The basic idea is to 
apply our proposed transformation method to Lewko and Waters’ HIBE scheme. 

Range Attribute-based Encryption: In a key-policy attribute-based encryption 
(ABE) [129], a private key might be associated with an access policy such as “Old man 
AND tall.” A man holding this private key can open a message encrypted under an 
attribute set {“Old man,” “tall”} since this attribute set satisfies the above access policy. 
In practice, the attributes in an attribute set might have certain range and the attributes 
in an access policy might be assigned with certain concrete evaluations. In the above 
example, the access policy might be denoted as a formula “Age: 60 AND Height: 180 
(cm)”. A man holding a private key associated with the above policy should be able to 
open a message encrypted under an attribute set {“Age: 50 to 100”, “Height: 175 to 
250 (cm).”} The reason for the successful decryption is that both evaluations of the two 
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attributes fall into the range required in the attribute set and hence the access policy is 
satisfied. However, A man holding a private key associated with an access policy “Age: 
49 AND Height: 180 (cm)’’ cannot decrypt this message since the evaluation “Age: 49” 
is not within the corresponding range “Age: 50 to 100” in the attribute set. A range 
ABE scheme is realizable from a traditional ABE scheme. However, the ciphertext will 
blow up with a logn factor as shown in our trivial example of constructing interval 
encryption from ABE. The proposed interval encryption scheme can be easily modified 
to a range ABE scheme with a constant ciphertext size. 

Interval Encryption under Simpler Assumption: The proposed method is also 
applicable to those BTE or HIBE schemes, in which cases their master keys only contain 
a single group element such as [34,62], We can construct interval encryption schemes 
based on the decisional bilinear Diffie-Hellman assumption. The concrete steps are 
similar to the steps of Section3.5.5. The weakness of these constructions is that the 
ciphertext size will blow up with a log n factor compared with the basic construction 
while the private key size remains O(logn). 

Encryption Under a Graph: Consider the following application: A message might 
be encrypted under a digital map of a certain territory on earth (a close two-dimensional 
graph) and only those who hold a private key for a location in the territory can open 
the message. This notion might actually intrigue several interesting applications. For 
example, a launch order of a certain weapon might be encrypted under a map of a 
specific region and only those who have a private key corresponding to a location within 
this region can launch this weapon. Apparently, we can map all the points in a two- 
dimensional digital map to the points in a single dimensional axis. We can simply 
calculate i = (y — l)c + x where (x, y) is a point in a two-dimensional map with width 
c and height d. If we set n = c * d, then all the points can be mapped into an index 
i £ \ 1. n ]. In other words, all the points within the territory of this digital map can 
be mapped into a collection of intervals. Therefore, the proposed interval encryption 
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provides a solution for the above scenario. The number of intervals depends on the 
perimeter of this graph. 

Future Work and Open Problems: The reason why the proposed construction can 
reduce the transmission cost is due to the difference between the points in and outside 
of a certain interval. How to reduce the transmission cost based the difference between 
points in and outside of a graph, especially to minimize the constant factor k during 
the multi-dimensional scenario is left as an important open problem. It is possible to 
borrow some idea from computational geometry to solve this problem. To propose 
a BTE or HIBE construction with improved efficiency or under a weaker assumption 
which is compatible with our framework is very interesting since this directly implies 
the improvement of interval encryption. 

3.6 Fuzzy Identity-Based Signature Schemes 

At present, while we are enjoying the facilities given by the modern technology, 
many security and privacy issues arise. One of them is reliable user authentication. In 
a generic cryptographic environment, the possession of the decryption key is sufficient 
to authenticate the user’s identity. But since the decryption key is so long and compli¬ 
cated, it is difficult to memorize. As a result, it is stored somewhere. It relies on other 
authentication (e.g., password) to retrieve this key. By simple dictionary attacks, most 
passwords are easy to guess. Moreover, people tend to write down complex passwords 
on easily accessible locations. In addition, people often use the same password in many 
applications. Thus, if a single password is compromised, many doors are opened. 

Considering the limitation of passwords, it is not suitable to use password based 
authentication in systems which require high security level. An alternative approach 
is to use biometrics (fingerprints, iris data, face, and voice). It is inherently more re¬ 
liable than passwords, since people will never forget or lost their biometrics; they are 
extremely difficult to copy, distribute, or share; and the person being authenticated is 


Figure 3.15: Two biometric scans of the same feature are rarely identical. 

required to present at the time and point of the authentication. It is also difficult to forge 
biometrics. Thus, biometric authentication is a potential candidate to replace password 
based authentication. 

Despite the advantages of biometric authentication, the following issue must be ad¬ 
dressed: biometric data is not exactly reproducible , as shown in Figure 3.15 that two 
biometric scans of the same feature are rarely identical. Thus, traditional protocols can 
not guarantee the correctness when the parties use a shared secret derived from biomet¬ 
ric data. 

Furthermore, a common approach to biometric authentication is to capture the bio¬ 
metric templates of all users during the enrollment phase and to store the templates in a 
reference database. During the authentication phase, new scan result is compared with 
the stored templates. To store biometric templates in a database will incur a number of 
security and privacy risks, such as: 

1. Impersonation. An attacker steals templates from a database and constructs arti¬ 
ficial biometrics that could pass authentication. 

2. Irrevokability. Once compromised, biometrics cannot be updated, reissued or 
destroyed. 

3. Exposure of sensitive personal information. 

The concept of fuzzy identity-based encryption (FIBE) was introduced by Sahai and 
Waters and further developed in a line of works, e.g., [16,227]. In a nutshell a FIBE 
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allows a user with the private key for identity to to decrypt a ciphertext encrypted for 
identity <J if and only if to and uj' are within a certain distance judged by some metric. 

In this section, we introduce a novel cryptographic primitive that is the signature 
analogue of a FIBE, we call it fuzzy identity-based signature (FIBS) [300]. 8 FIBS al¬ 
lows a user with identity w to issue a signature which can be verified with identity w' if 
lo and <J are within a certain distance judged by some metric. Using FIBS, we construct 
a biometric authentication scheme and address the problems which lie in biometric au¬ 
thentication mentioned in the above paragraph. In our scheme, the server stores a FIBS 
signature and a public string pub which is shared by the users. When a user A is going 
to authenticate himself to user B, he will send his public string pub to the server and 
allow the server to retrieve the signature and reconstruct the shared secret. Our scheme 
meets the “robust to noise,” “anti-impersonation,” and “privacy protection" security re¬ 
quirements. 

Another interesting application is attribute-based signature. In this application, a 
user can issue a signature on behalf of the group that has a certain set of attributes. For 
example, an IT company might want a C++ senior programmer whose age is above 50 
to sign the technical report. In this scenario, it will sign to the identity {“C++”,“senior 
programmer”,“above 50”}. Any user who has an identity that contains all of these 
attributes can issue the signature. 

Much work has focused on developing secure biometric authentication [92,164,165, 
214,278]. Most recently, Dodis, Reyzin, and Smith [102] showed an approach different 
from ours to use biometric data to derive secure cryptographic keys which can be used 
for the purposes of authentication. Roughly speaking, they introduce two primitives: 
a secure sketch which allows recovery of a shared secret given a close approximation 
thereof, and a fuzzy extractor which extracts a uniformly string s from this shared se¬ 
cret in an error-tolerant manner. Both of the primitives work by constructing a “public” 


Since FIBE appeared in 2005, we are the first to propose the cryptographic primitive FIBS in 2007. 
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string pub which is stored by the server and transmitted to the user, pub encodes the re¬ 
dundancy information needed for error-tolerant reconstruction. But the work of Dodis, 
Reyzin, and Smith does not address the issue of malicious modification of pub. Indeed, 
the adversary who maliciously alters the public string sent to a user may be able to learn 
the user’s biometric data. Boyen et al. [46] improved this result in a way that resists an 
active adversary and provides mutual authentication and authenticated key exchange. 

3.6.1 Definitions 

Notations: From here on we use Z q to denote the group {0,..., q — 1} under addition 
modulo q. For a group G of prime order we use G* to denote the set G* = G — {O} 
where O is the identity element in the group G. We use Z* to denote the set of positive 
integers. 

Bilinear Pairings and Assumptions: Let us consider two multiplicative group G and 
G t of the same prime order p. A bilinear pairing is a map e:GxG-> G t with the 
following properties: 

1. Bilinear: e(u a , v b ) = e(u, v) ab , where u, v £ G, and a,b £ Z*. 

2. Nondegeneracy: there exist u £ G and v £ G such that e(u, v) 1. 

3. Computability: There is an efficient algorithm to compute e(u, v) for all u, v £ G. 

Computational Diffie-Hellman (CDH) Assumption: We briefly review the compu¬ 
tational Diffie-Hellman (CDH) Assumption. The readers can refer to previous litera¬ 
ture [162] for more details. 

The challenger chooses a 7 b £ Z p at random and outputs (g, A = g a , B = g b ). The 
adversary then attempts to output g ab £ G. An adversary, B , has at least an e advantage 
if 

Pr [B(g,g a ,g b ) = g ab }>e 
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where the probability is over the randomly chosen a, b and the random bits consumed 
by B. 


Definition 3.6.1. The (t, e) — CDH assumption holds if no t-time adversary has at least 
e advantage in winning the above game. 


Threshold Secret Sharing Schemes: A (n,t) threshold secret sharing scheme dis¬ 
tributes a secret s among a set of V = { U \ .... R n } of n players by a dealer. Each 
player f?, will privately receive s t as a share of the secret from the dealer. Then, those 
subsets with at least t players can recover the secret, while other subsets containing less 
than t players cannot gain any information about the secret. 


Shamir’s solution uses polynomial interpolation. Let GF(q) be a finite field with 
q > n elements, and let s £ GF{q) be the secret to be shared. The dealer randomly 
picks a polynomial f(x) of degree t — 1, and sets the constant of f(x) as s. So f(x) is 
of the following form f(x) = s + X=i a j x '' ■ 


If we assign every player with a unique field element a,, the dealer sends the 
secret share s,; = /(a,) to Ri through a private channel. Now if the set of players 
S C V such that |5| >t, they could recover the secret s = /(0) by using the following 
formula: 

f( x ) = X] A a i ,s(x)f{a i ) = X A a„s(a:)si, 

RiGS RiGS 


where 


& ai ,s(x) 


n 

RiGS,l^i 


X — ai 
Oti - ai 


On the other hand, it can be proved that if the subset B C V such that \B\ < t, all 
players in B cannot get any information about the polynomial f(x) even if they collude. 
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3.6.2 Security Models 

Fuzzy Identity-Based Signature: The generic fuzzy identity-based signature (FIBS) 
scheme consists of the following algorithms: 

• Setup(l fe , d): The Setup algorithm is a probabilistic algorithm that takes a security 
parameter 1 k and an error tolerance parameter d as input. It generates the master 
key mk and public parameters params. Note that rnk is kept secret. 

• Extract (msk, ID): The private key extraction algorithm is a probabilistic algo¬ 
rithm that takes the master key mk and an identity ID as input. It outputs a 
private key associated with ID, denoted by Did- 

• Sign (params, Did, M): The signing algorithm is a probabilistic algorithm that 
takes the public parameters params, a private key Did associated with ID, and 
a message M as input. It outputs the signature cr. 

• Verify (params, ID', M, cr): The verification algorithm is a deterministic al¬ 
gorithm that takes the public parameters params, an identity ID' such that 
| ID' fl ID | > d, the message M, and the corresponding signature cr as input. 
It returns a bit b, where 6=1 means that the signature is valid. 

Security Model 

Definition 3.6.2. (UF-FIBS-CMA). Let A be an adversary assumed to be a probabilistic 
Turing machine taking as input a security parameter k. Consider the following game in 
which A interacts with a challenger C: 

• Setup: The challenger C runs the setup phase of the algorithm and tells the ad¬ 
versary A the public parameters. 

• Phase 1: A issues private key queries and signature queries for any identity 7 \ 


adaptively. 
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• Phase 2: A declares the target identity a, where \a (T ji\ < d for all 7 ,, from 
Phase 1. 

• Phase 3: A issues private key queries for many identities 7 j, where \ jj fl a\ < d 
for all j. A issues signature queries for any identity. 

• Phase 4 : A outputs (a, M, d), where d is a’s valid signature on the message M 
and A does not make a signature query on (M , d) for identity a . 

We define A's success probability by 

Succ fib™ S " CMA ( A: ) = Pr[Verify (a,M,d) = 1] 

The fuzzy identity-based signature scheme FIBS is said to be UF-FIBS-CMA secure 
if SucCp I I gg I ^| S_CMA (fc) is negligible in the security parameter k. 


3.6.3 Construction 

Our scheme is based on the two level hierarchical signature in [48]. 

In what follows, we assume that groups G and G t of prime order p such that a 
bilinear pairing e : G x G —> G t can be constructed, and cj is a generator of G. 

Identities will be sets of n elements of Z*. We use the definition of Lagrange coef¬ 
ficient Ai'S(x) as in section 2.4. 

Setupfn, d): To set up the system, first, choose g\ = g v . g-j £ G. Next, choose 
fi,..., f n +i uniformly at random from G. Let N be the set {1,..., n + 1} and we 
define a function, T, as: 

n+1 

T(x)=gf 

i=1 

Next, select a random integer z' G and a random vector z = (z\ ,..., z m ) G 
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The public parameters of the system and the master key are given by 

pp = (gi,g 2 ,ti,...,t n+ i i v' = g z ,v 1 = 9 1 ? • • • i — 9 m 5 

A = e( 9l ,g 2 )) €<G n+m+4 xG T 

MK = y. 


Extract(PP, MK, ui): To generate the private key for the identity to, first choose a 
random d—1 degree polynomial q such that g(0) = y, and return 

K u = ({Tlijigai, {rfi}*ew) € G 2n , 

where the elements are constructed as 

A = sf ) r(i) r ‘, di = g- r \ 

where r, is a random number from Z p defined for all i g oj. 


SignfPP, K Ul M ): To sign a message represented as a bit string M = (//. [ • • • /j. m ) g 
{0, l} m for identity w, using private key K u = {{Di} ieul , {di}i Gu ) g G 2n , select a 
random Sj g Z p for each z in u >, and output 

( m \ 

j =1 4 ^ ' 

( m \ 

{# } ■ (v'Hv^r} teJ {g- r 'he.,{g- s 'he.) e <G 3n . 

j —1 ' 

VerifyfPP, u/, M, a): To verify a signature S = ({Sj 0 } iea ,, {S'^ ) } ieaJ , {S'^ ) } iea ,) 
with respect to an identity <*/, where \oj' (Tu;| > d, and a message M = (n i) • ■ •, p m ) G 
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{0,1}”\ choose an arbitrary d —element subset S of oj fl oj' and verify that 



If the equality holds, output 1; otherwise, output 0. 

3.6.4 Security Proofs 

We show security as in Theorem 5.1, the approach is based on that of [48,129]. 

Theorem 3.6.3. Let A be an adversary that makes at most l <C p signature queries 
and produces a successful forgery against our scheme with probability e in time t. Then 
there exists an algorithm B that solves the CDH problem in Z p with probability e > 
e/(4p"n/) in time t ss t. 

Proof. The simulator B is given an instance (<j. g", </') £ G 3 of the CDH problem, and 
wants to produce g ab . The simulation proceeds as follows: 

Setup: B first selects a random identity a*. Next, B chooses a random /,: G {()...., to}, 
and random numbers x',x\,..., x m in the interval {0,..., 21 — 1}. It also chooses 


160 


CHAPTER 3. ATTRIBUTE-BASED CRYPTOGRAPHY 


additional random exponents z', Z\,z m £ Z p . It lets <71 = g a ,g 2 = g b ■ It then 
chooses a random n degree polynomial f(x) and an n degree polynomial u(x ) such 
that \/x u(x) = —x n if x € a. B sets ij = g^g^ 1 ' 1 for i from 1 to n + 1. Since 
ti is chosen independently at random, we have T(i) = g£ rij=i(ff 2 ^ g^^) Aj ’ N ^ = 
g\ The simulator gives the public parameters, 

PP = {g,gi,g 2 ,ti,...,t n+1 ,v' = gi~ 2kl g z> ,{vj = gl <r ; } J= i.. .1 = 

e {gugi))- 


The corresponding master key, MK = a, is unknown to B. 


To answer a private key query on identity 7 that I 7 (T a* \ < d, the simulator B 
proceeds as follows. We first define three sets T, T 7 , S in the following manner: 

T = 7 (T a, T' be any set such that T C T' C 7 and, |T'| = d— 1, and S = T 7 U {0}. 

Then we define the private key /t ' 7 for i £ T 7 as ( { I), = {.9 2 Al T(i) r -} ie r', 

R} i6 r' — {g r ‘}i£ r'). where A,, r, are chosen randomly in 7L p . We define d 1 
degree polynomial q(x) as q{i) = A,;, q(0) = a. 


Next we compute the private key K 7 for * £ 7 — T 7 as follows: 


A 

di 


n 

■je r' 


j2 


9i 


l +u(i) 


(.92 


+u(i) 




A 0 ,s(*) 


A 0 ,s{i) 


Since i £ a, i n + u(i) can not be zero. We claim that such construction is a valid 
response to this private key query. To see this, let 77 = (?’ 7 — jn+iiTzj )^o,s(i)- Then we 
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have that 


( 11 5 2 AjAj ’ s(i: 

’). ( 9 l -( 9 r + “ , v«‘TO a “ M 

jer' 


(n^ A " sK 

’) ■(«•-«», («r + “ < ‘V i,, ) r ‘') i0, ’ < ' > 

jer- 


(n^ jAj ’ sK 

’) • (32(32 + " ( V«)™^ ■ {g\ + “ W /W) n 

jer' 


’) • (32(32 + “ ( V w ) ri ™) 

je r' 

( 11 52 jAj ’ sK 


jer' 



Ao,s(») 


— „«(*) nr r 

— 92 1 i 


di = (sh 


I 1 ;\A 0 ,s(») 

™3 r ‘ 





Ao,s(») 


It shows that Di,di have the correct distribution. To answer the signature query on 
identity 7 that I 7 (T a*\ < d, B uses A ' 7 to create a signature on M exactly as in the 
actual scheme, and outputs the result. 


To answer the signature query on identity a* for some M = (g, 1 • • • g rn ), we define 
F = — 2kl+x'+Y^ r JLi x jl l j an d J = z '+Y^j l = 1 z jl- l j- If F = 0 (modp), the simulator 
aborts. Otherwise, B selects a random set A such that A C a* and |A| = d — 1 and 
define g q W = g\ for i G A where A' is chosen randomly in Z p . Then it computes 

g q, (i) — g x j A i,a* W)j“A 0i „. (*) f or i £ a * — A, B picks random 77 , s, for i £ a* 

and computes. 


4° = 3” n 

= (/ (i) ) 1/F 5" s ‘. 


oM 

d 3 
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For Si = Si — q'(i)/F , we have 


S? = (g 9 ' ii) )- J/F g mr '(g J g?) s ' 

= {9 q '^)- J,F g mr ^ q '^ J/F 9i (i \g J 9^) s '- q ' (l)F 

m 

= ^ ( v wr *(» w = gi {i) m r U(v' n - r 

3=1 

4° = (g q ' (i) ) 1/F g~ Si = 


It shows that s[ l \ and have the correct distribution. Eventually, A outputs a 
valid forgery S* = ({S'| l) *} iea , {S^liea) on M* where M* = (p\ ■ 

■ ■ 9m) e {0> 1}™ f° r identity a. Let F* = —2 kl + x' + J2jLi x jP*j an d J* = 
z' + YljLi z iPj • If a 7^ a * or F* ^ 0(mod p ), B aborts. Otherwise, the forgery must 
be of the following form, for some r*, s* £Z p , 


m 

S[ i] =g q ^ i) T{i)<(y'X[ 




3 = 1 


= sf ( V (iK V* s * 


4° = <r r 


S.f = g- 


We select a random set A' such that A' C a and |A'| = d, and compute as follows: 

A i, Q (i) 


St = n ( 5 : 

teA 


(i) 


( m 

g A i ,Ai)QHi) T ^A i , oc (i) r : . (V 


iSA' 


n 

ieA' 


A i,a(i)s* 


3=1 

g A i , a (t)q*(i) g A i ' Ct (i)f(i)r’; g A i ' ai (i)J*8* i 


= I [ 

ie A' 


gAi, a (i)f{i) r i gAi j(x {i) J*s\ 
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«s=n . n 

ie A' is A' 

igA' ISA' 

B could solve the CDH instance by outputting S'* • S'! • {S£) J * = g ab . 

Pr[the simulation not aborting] 

=Pr[a = a*] ■ Pr[E ^ 0 (mod p)\ • Pr[F* = 0 (mod p)] 

= — ■ (l - —V — < 

p n \ 21J 2 nl Ap n nl 

Thus, e > e-Pr[the simulation not aborting] n 

3.6.5 Applications to Biometric Authentication 

An important application of FIBS deals with biometric authentication. A biomet¬ 
ric authentication system is essentially a pattern-recognition system that recognizes a 
person based on a feature vector derived from a specific physiological or behavioral 
characteristic that the person possesses [228], Since biometrics cannot be lost or forgot¬ 
ten like e.g., computer passwords, biometrics have the potential to offer higher security 
and more convenience for the users. 

Our FIBS system provides an attractive solution to biometric authentication. We 
use our FIBS scheme (Setup, Extract, Sign, Verify) presented in Section 3.6.3 as the 
underlying algorithm. We adopt the biometric authentication model presented by Ver- 
bitskiy el al. It consists of two phases: An enrollment phase and an authentication / 
Verification phase. Figure 3.16 gives an illustration of our protocol. In Figure 3.16, the 
text above the arrow represents the sending message. For instance, 1. X means in step 
1, Alice’s biometric measurement data X is sent to Extract Box. Our protocol performs 


as follows: 
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Alice’ s 

Measurement Data X 


3.X 


1. Fv( “Alice” ), Y 



Enrollment 


Authentication 


Figure 3.16: The proposed biometric authentication architecture. 

Enrollment Phase: 

1. First, Alice goes with her biometric data through an enrollment phase to a cer¬ 
tification authority (CA). During this procedure the properties of her biometric 
data are measured with special equipment. We model the measurement data as a 
feature vector, which is a set of elements of Z*. 

2. From the measurement data a private key D is derived using Extract. 

3. Then the reference data stored in the database is obtained by applying Sign to D 
using “Alice” as the message. CA stores F v (“ Alice ") together with the reference 
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data and the biometric measurement data. Here F V (M) = v' YljLi v j 3 > M = 
(Hi,..., fj, m ) € {0,1}”\ and v ', v \,..., v rn are public parameters. 

4. CA then erases the private key D , the message “Alice,” and all the intermediate 
data physically. 

Authentication / Verification Phase: 


1. When Alice wants to authenticate herself to Bob at a later point of time, a mea¬ 
surement that extracts her birometric data Y is taken. Alice sends F v (“ Alice ”) 
and Y to CA. 


2. Bob sends F v (“Bob”) and a random number r to CA. 

3. CA find the reference data a = } and biometric measurement data 

X by searching F v (“ Alice”). 


4. CA computes S = X D Y. 

5. CA computes er* = 03^, 04^}»es = {(<r^ F v ( u Bob ,, )) Ai ’ s ^ r , 

(f7^ ) ) Ai ’ s(0)r , (a^) Ai ’ s ^ r , g Ai s( ' 0 ^ r }ies- an d returns a* to Alice. Here T(i) 
is the public function defined by our FIBS scheme and S ’s description is included 
in a*. Then, Alice sends a* and her identity “Alice” to Bob. 


6 . Taking a* and “Alice” as input parameters. Bob checks whether 


TlrtU • e (°2 W - r (*)) • e(<T3 {i) , 

ieS 


F v (“Alice”))e{al {i) ,F v (“Bob”))) = A r , 


A is public parameters. If it holds, Alice passes the authentication. Otherwise, 
Alice fails the authentication. 


Security Analysis: The security of our protocol is analyzed in terms of three impor¬ 
tant security measurements: 
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1. “Robust to noise”: Biometric data is not exactly reproducible, as two biometric 
scans of the same feature are rarely identical. 

2. “Anti-Impersonation”: An attacker steals templates from a database and con¬ 
structs artificial biometrics that pass authentication. 

3. “Privacy protection”: Exposure of sensitive personal information. 

Analysis of “Robust to noise” : With the proposed protocol, the Setup algorithm is 
run to set up the error tolerance parameter d according to the noise between two bio¬ 
metric scans. The reference data a stored in the database is generated using d, such that 
the people with the biometric measurement ut' will be authenticated as w if u; and ut' is 
within the distance d. Therefore, our protocol meets the “Robust to noise” requirements. 

Analysis of “Anti-Impersonation”: This security requirement was recognized by 
several authors [33,274,275], When an authentication system is used on a large scale, 
the reference database has to be made available to many different verifiers who can¬ 
not be trusted. Especially in the network environment, this is a serious threat. It was 
explicitly shown [211] that by using information stolen from a database, artificial bio¬ 
metrics can be constructed to impersonate people. Construction of artificial fingerprints 
is possible even if part of the template is available. It has been shown [141] that if 
minutiae templates of a fingerprint are available, it is still possible to construct artificial 
fingerprints that pass the authentication. 

The proposed protocol satisfies “Anti-Impersonation” requirement because the un¬ 
derlying FIBS scheme is proved secure under UF-FIBS-CMA model. In UF-FIBS- 
CMA model, the adversary’s probability to produce a valid signature of any message 
under a new private key is negligible, even though he can get any number of signatures 
and private keys. In our protocol, the reference data stored in the database is a FIBS 
signature. Therefore, if the adversary can construct an artificial template that is differ¬ 
ent from the template stored in the database, he can provide a successful forgery of the 
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underlying FIBS scheme. 

Analysis of “Privacy protection”: It is shown [228] that several privacy concerns 
surround the use of biometrics for authentication. Because biometric identifiers are bi¬ 
ological in origin, collectors may glean additional personal information from scanned 
biometric measurements. For instance, certain malformed fingers might be statistically 
correlated with certain genetic disorders. With the rapid advances in human genome re¬ 
search, the fear of inferring further information from biological measurements becomes 
serious. 

Because the identity data “Alice” stored in the database is F v (“Alice") and the 
discrete logarithm problem is difficult in group G, the probability to recover “Alice” 
is negligible. At the same time, the authentication request sent to CA only contains 
F v (“Alice'’). Therefore, the adversary cannot get any relationship between scanned 
biometric measurement and identity information stored in the database. Therefore, our 
protocol meet the “privacy protection" requirements. 

Efficiency We now consider the efficiency of the scheme in terms of data size stored in 
the database and computation time in enrollment phase and authentication/verification 
phase. 

Let Iq and lz* be the bit length of elements in group G and Z* respectively. And 
the biometric measurement data contains n elements in Z*. The signature consists of 
three group elements in G for every element in feature vector u>. That is, the length of 
the signature is 3 nl<Q. The length of F v {m) is Iq. The length of biometric measurement 
data is nlz *. Therefore, The total length of each data is 3 nl& + nlz * + Iq. 

The computation time in enrollment phase is m + n multiplication in G and 2 n 
exponentiation computation in G. 

In our rudimentary Sign algorithm, the number of pairings to sign might be as large 
as the number of elements of the biometric measurement. However, it is possible to 
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optimize this method. We now discuss methods to improve upon it. 
We find out that 


e(S [ l) , g ), e(S ( 2 l) ,T(i)), e(S { 3 l) , v' ) 

i-y 

can be computed offline. Therefore, we compute and store 

m 

e (Si\g) ■ e(S^,T(i)) ■ e(S^\v' \\v^) 

3 =i 

to replace the original signature stored in the database. There will be 3 n more pairing 
computations in the enrollment phase. So the computation time for enrollment phase is 
m + n multiplications in G , 2 n exponentiation computations in G, 3 n pairing compu¬ 
tations. And the total length of each data will be nhs T + nlz* + Ig- The computation 
time in the authentication/verification phase is drastically reduced to n exponentiation 
computations in G, 2 n exponentiation computations in G t, 2 (d — 1) multiplications in 
G T- 

It is shown [97], the data length of iris biometric template is of 150 dimensions. 
Therefore, n is 150. And lz* is 1024 bits, while lg, T and l& are 512 bits in normal case. 
In summary, we have nlia T + nlz * + Ig bit length, which is nearly 28KB for each data 
stored in the database. 

Furthermore, we observe that the computation for enrollment phase could be run 
concurrently, so the total computation time for Enrollment phase is roughly 3 n pairing 
computation. We consider the benchmarks of the primitive cryptographic operations 
given by Jiang et al. [161], which is evaluated on Intel Core™ 2 Duo 1.83 GHz Linux 
machine. The computation time for pairing is 2.75ms and multiplication is 0.75ms. 
So the enrollment phase takes less than 1.25s, and the authentication/verification phase 
takes less than 0.62s. Note that a pairing operation is roughly two to three times more 



3.7. NOTES 


169 


expensive than exponentiation in G and G t- 

We have demonstrated that the proposed protocol can function efficiently both in 
the authentication/verification phase and the Enrollment phase. 

In the recent work, ABS has been a hot topic [185,220]. In 2012, two attribute-based 
signature schemes with constant size signatures are proposed [139]. Their security is 
proven in the selective-predicate and adaptive-message setting, in the standard model, 
under chosen message attacks, with respect to some algorithmic assumptions related to 
bilinear groups. 

3.7 Notes 

In this chapter, we have given a comprehensive description of the formal def¬ 
initions and security models of attribute-based encryption cryptosystems. We also 
introduced some of our research work publicized recently in this field, namely a 
bounded ciphertext-policy encryption scheme published in the conference ASIACCS 
2009, a multi-authority attribute-based encryption scheme published in the conference 
Indocrypt 2008 and ESORICS 2011, an interval encryption scheme published in the 
conference ACNS 2010 and a FIBS scheme published in the journal Computers & Elec¬ 
trical Engineering, which has become the attribute-based signature in fact. Readers can 
refer to [192,198,199,201, 301], if they want to know more ABE schemes and ABS 
schemes. 

There are also some interesting problems in attribute-based cryptography. For in¬ 
stance, 

1. How to design an expressive CPABE system resisting malicious key leakage? 

For the bounded ciphertext-policy attribute-based encryption, it is im¬ 
perative for improving the efficiency of the proposed BCPABE scheme 
and designing a new kind of BCPABE excluding the assistance of 
dummy nodes. In a CPABE system, decryption keys are defined over 
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attributes shared by multiple users. Given a decryption key it may 
not be possible to trace to the original key owner. Also, as a decryp¬ 
tion privilege could be possessed by multiple users who own the same 
set of attributes, malicious users would tempt to or be very willing to 
leak their decryption privileges without the risk of being caught. This 
problem severely limits the applications ofCPABE. Although some at¬ 
tempts [142,186, 187] have been made to address this problem, the 
policy in these systems can only support a single AND gate with wild 
card. To construct an expressive CPABE system resisting malicious 
key leakage is still an open problem. 

2. How to design interval encryption schemes in the multi-dimensional scenario? 

3. How to design attribute-based proxy re-encryption schemes with higher efficiency 
and stronger security? 

Combining the proxy re-encryption technique with recently introduced 
attribute-based cryptosystem, attribute-based proxy re-encryption 
scheme is proposed. All the advantages of PRE scheme can be inher¬ 
ited into access control environment. The security model of ABPRE 
was defined for the first time and our scheme can be proved selective- 
structure chosen plaintext secure and master key secure in the standard 
model assuming that ADBDH problem and ADH problem are hard to 
solve. Moreover, another kind of key delegation algorithm is developed 
in the ABPRE scheme, providing more delegating capability to each 
valid user. The future work includes how to design a more delicate 
ABPRE scheme with higher efficiency and stronger security. Besides, 
it still remains an open problem to construct an ABPRE scheme that 
has a reduction based on a more standard and natural assumption. 



Chapter 4 


Batch Cryptography 

4.1 Introduction 

From Chapter 1, we know the new direction of modern cryptography — Batch Cryp¬ 
tography ,, which can process the decryption, key agreement, and signature/verification 
in a batch way, instead of one by one. In this chapter, we give the formal definitions and 
concrete schemes as well as the related theories in mathematics. Batch cryptography 
focuses on the global efficiency and security. It includes batch decryption, batch key 
agreement and batch signature/verification. To the best of our knowledge, it is the first 
effort towards introducing batch cryptography. 

The remainder of this chapter is organized as follows. A brief review on related work 
of batch signature/verification schemes as well as their security models and schemes 
are given in Section 4.2. Batch decryption and batch key agreement are introduced 
in Section 4.3. Batch RSA is considered as an important case of batch cryptography. 
New batch RSA schemes based on Diophantine equations are presented in Section 4.4. 
To implement these new schemes, we employ some related mathematical theory and 
techniques for solving these Diophantine equations in Section 4.5. Finally, a conclusion 
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of the chapter is presented in Section 4.6. 

4.2 Aggregate Signature and Batch Verification 

Aggregate signature was first introduced by Boneh et al. [38] for batch verifica¬ 
tion, which was based on the short signature [41] with efficiently computable bilinear 
maps in 2003. An aggregate signature scheme is a special digital signature that sup¬ 
ports aggregation which can be informally defined as follows: given b signatures on b 
distinct messages from b distinct users, it is possible to aggregate all these signatures 
( 7 i, 02 ,. • ■, <Tb into a single compact signature which convinces the verifier that the b 
users indeed signed the b original messages in a batch way (i.e., user i signed message 
rrii for i = 1, 2,..., b). Moreover, the aggregation can be performed incrementally. 
That is, signatures o\, Co. can be aggregated into a 12 which can then be further aggre¬ 
gated with 0-3 to obtain 0123 . 


ci + (72 cr 12 and (712 + C 3 —> ( 7123 . 

Lysyanskaya et al. [205] use certified trapdoor permutations which permits only 
sequential aggregation, i.e., the 6 -th signer must aggregate its own signature into the ag¬ 
gregate signature formed by the first 6—1 signers. Lu et al. [203] present the first aggre¬ 
gate signature scheme that is provably secure without random oracles. The signatures 
are sequentially constructed. However, unlike the scheme of Lysyanskaya et al. [205], 
a verifier need not know the order in which the aggregate signature was created. Addi¬ 
tionally, these signatures are shorter than those of Lysyanskaya et al. [205] and can be 
verified more efficiently than those of Boneh et al. [38]. Ahn et al. [3] modify the state¬ 
ful signatures of Hohenberger and Waters [146] by removing the chameleon hash and 
present a surprisingly efficient synchronized aggregate signature scheme which is secure 
under the computational Diffie-Hellman (CDH) assumption in the standard model. 
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In the batch verification, Naccache et al. [219] gave the first efficient batch veri¬ 
fier for DSA signatures in 1994; however, an interactive batch verifier presented in an 
early version of their paper was broken by Lim and Lee [196], In 1995, Laih and Yen 
[302] proposed a new method for batch verification of DSA and RSA signatures, but 
the RSA batch verifier was broken five years later by Boyd and Pavlovski [45], In 1998, 
Harn presented two batch verification techniques for DSA [137] and RSA [138] but 
both were later broken [45,152,153], In the same year, Bellare et al. [21] took the first 
systematic look at batch verification and presented three generic methods for batching 
modular exponentiations, called the random subset test, the small exponents test, and 
the bucket test which are similar to the ideas from Laih and Yen [302], Later, Cheon and 
Lee [83] introduced two new methods called the sparse exponents test and the complex 
exponents test, which they claim to be about twice as fast as the small exponents test. 
In 2000, Boyd and Pavlovski [45] proposed some attacks against different batch verifi¬ 
cation schemes most of which were based on the small exponents test and related tests, 
and repaired some broken schemes based on the small exponents test. In 2001, Hoshino 
et al. [148] pointed out that the problem discovered by Boyd and Pavlovski [45] was 
only critical for batch verification such as the zero-knowledge proofs. Other schemes 
for batch verification based on bilinear maps were proposed [304,308,309] but all were 
later broken by Cao et al. [67]. In 2006, a method was proposed for identifying in¬ 
valid signatures in RSA-type batch signatures [180], but Stanek [262] showed that this 
method is awed. Ferrara et al. [110] gave performance measurements for the schemes 
herein, and also showed how to batch verify other types of signatures, such as group 
and ring signatures. Law and Matt [178] pointed out that some identity-based signa¬ 
ture schemes batch well, and gave methods for identifying invalid signatures in a batch. 
Because the goals of batch verification and aggregate signature are slightly different, it 
is important to clarify these distinct notions. Informally, batch verification’s goal is to 
verify b distinct signatures quickly, while the goal in aggregate signatures is to compress 
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these signatures. 

4.2.1 Definitions 

We follow [38] for formalizing the aggregate signature in the chosen-key security 
model. For the convenience of our presentation, the attacker is also called an adversary 
or a forger. 

Definition 4.2.1. The adversary A is given a single public key, called challenge public 
key. A’s goal is the existential forgery of an aggregate signature. A is granted the power 
to choose all public keys except the challenge public key and access to a signing oracle 
on the challenge public key. Al’s advantage, denoted AdvAg g Sig_ 4 > is defined to be the 
probability of success in the following game: 

• Setup. A is provided with a public key pk\ , generated at random. 

• Queries. A requests hash values of messages and signatures with pk\ on mes¬ 
sages of his choice. 

• Response. Finally, A outputs 6—1 additional public keys pkp ,... ,pkb . These 
keys, along with the initial key pk-\ , will be included in A’s forged aggregate. A 
also outputs messages mi, m 2 , ■ ■■, mb, and an aggregate signature cr, where a is 
signed by the b users and each user signs on the corresponding message. 

The aggregate signature a is called nontrivial if A did not request a signature on 
TOi under pk\. We define that A wins if <7 is nontrivial valid aggregate signature on 
messages mi, m2, ..., mb under keys pki,pk2, ... ,pkb . The probability is over the coin 
tosses of the key-generation algorithm and of A. 

Definition 4.2.2. An adversary A (t,qH,Qs,b m ax, e)-breaks an aggregate signature 
scheme in the chosen-key model if: A runs in time at most t; A makes at most qn 
queries to the hash function and at most q$ queries to the signing oracle; AdvA gg Si gA 
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is at least e; and the forged aggregate signature is signed by at most b max users. An 
aggregate signature scheme is (t, qH,qs, b max , e)-secure against existential forgery in 
the chosen-key model if no forger (t, qn, qs, b max , e)-breaks it. 

Recall that a digital signature scheme is a tuple of algorithms (Gen, Sign,Verify) 
that also is correct and secure. The correctness property states that for all Gen(l f —> 

(pk ; sk), the algorithm Verify(pfc, to, Sign(sk, to)) = 1. 

Definition 4.2.3 (Camenisch et al. [60]). Let t be the security parameter. Suppose 
(Gen, Sign, Verify) is a signature scheme and (pk\,sk\), ...,(pkb,skb) are indepen¬ 
dently generated according to Gen (1^). We define a probabilistic batch verification 
algorithm (Batch) as follows: 

• Batch((pfci, toi,cti), ..., mb, Ufe)) = 1 provided Verify (phi, to,, a) = 1 
for all* = 1,2 ,..., b. 

• Batch( (pki, mi, err),..., (j>kb, mb, (7b)) = 0 except with probability negligible 
in e, taken over the randomness of Batch, provided Verify (pk,, nii, a ,) = 0 for 
any i = 1,2 ,... ,b. 

Definition 4.2.4 (Gentry and Ramzan [121]). The security model for identity based 
aggregate signature (IBAS) is defined as follows: 

• Setup: The adversary A is given public key pk of the Private Key Generation 
(PKG), an integer b rnax , and any other needed parameters. 

• Queries: Proceeding adaptively, A may choose identities ID, and request the 
private key ski. Also, A may request an IBAS as on (pk, S, {mj}v~f) where 
S = {ID,y((2\ ■ We require that A has not to make a query (pk, S', {rrijj^zl) 
where IDi £ S (T S' and to' ^ to*. 

• Response: For some (pk, {IDi} 1 -^, {to 7 :}^ =1 ) with b < b max , A outputs an 
IBAS ai. 


176 


CHAPTER 4. BATCH CRYPTOGRAPHY 


We call that the signature is nontrivial, where for some i, 1 < i < b, A did not request 
the private key for IDi and did not request a signature including the pair ( IDi , TOj). We 
define that A wins if cp, is a nontrivial valid signature on (pk, { IDi } b i=1 , {r?Zi}^ =1 ) 

Definition 4.2.5. An IBAS adversary A (t, e, b max , qn, qE, < 7 s)-breaks an IBAS 
scheme in the above model if: for the integer b max as above, A runs in time at 
most t\ A makes at most <m hash function queries, qs private key extraction queries, 
and at most qs signing oracle queries; and AcIvibasa is at least e. An IBAS 
scheme is (t, e, b max , qH, qE, ( 7 s)-secured against existential forgery if no adversary 
(f, e, QH,qE,qs )-breaks it. 

4.2.2 Aggregate Signature 

Aggregation is obtained by combining the resulting b signatures {<ji, <J 2 , Ub} into 
one aggregate signature a: 

b 

»=i 

We introduce aggregate signature scheme given by Boneh et al.’s [38] as follows: 

• Setup: Let e : Gi x G 2 —> Gr, where g generates the group G 2 of prime order 

q- 

• Gen: Chooses a random sk £ Z q and outputs pk = g sk . 

• Sig: A signature on message to is cr = H(m) sk , where H is a hash function 
H : {0,1}* -»• Gi. 

? 

• Ver: To verify signature a on message to, one checks that e(u, g) = 
e(H(m),pk). 
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Batch verification is very simple. What we need to do are the following two steps: 
checking that the m,’s are mutually distinct and ensuring that 

b 

e(g, <j) = e (P fc i’ h i) (4- 1 ) 

i =1 

where hi = h(rrii). Equality (4.1) holds because 

b b b b 

e(g, <7) = e{g,J\hl ki ) = e(g, hi) sk ' = e(g sk \ hi) = e{pk u hi). (4.2) 

i= 1 i =1 i =1 i=l 

In the special case when all b signatures are issued by the same public key pko (same 
signer), the verification is faster only for 2 pairings. One needs to verify that 

b 

e(g,cr) = e(JJ/i(TOi),pfc 0 ), 

i-l 

where mi,m2, mb are the signed messages. 

However, Camenisch et al. [60] pointed out that the aggregate scheme in [38] is 
not a batch verification scheme since, for any a / 1 £ <Gi, the two invalid message- 
signature pairs Pi = (m\, a ■ H(mi) sk ) and P 2 = (m 2 , a -1 • H(m2) sk ) will verify 
under Definition 4.2.3. 

4.2.3 Identity-Based Aggregate Signature 

In 2006, Gentry and Ramzan [121] gave the first identity-based aggregate signature 
(IBAS) as follows: 

• Setup: It generates groups Gi and G9 of prime order q and an admissible pairing 
e : Gi x Gi -> G 2 ; chooses an arbitrary generator P £ Gi. In addition, it 
chooses three cryptographic hash functions Hi,H 2 : {0,1}* —X Gi, and H$ : 
{0,1}* —X Z*. After setting the system parameters, PKG picks a random number 
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skpKG G Z* as its secret key and sets its public key as P pu b = skpxG • P- 
The system parameters are params = (Gi, G 2 , q, e, P, P pu b, H\,H 2 , H 3 ). The 
sytem’s secret is skpxG- 


• Extract: 


sk^ = skpxG • Q°id i and ski = skpKG • Q/d, 


where Q% ; = ffi(IA||0) and = A(/A||l). 


• Individual Signing: 

(1) Choose a unique string u and compute P u = H 2 (lu) £ Gi; 

(2) Compute a = H 3 (rrii, IDi, u) £ Z*; 

(3) Generate a random number r*, where r\ £ Z*; 

(4) Compute signature ,S''A, = (w, A; Vi) for message m,, where 

A =n-P and Vi = r.j • + sk° + c t ■ skj. (4.3) 


• Aggregate: Anyone can aggregate a collection of individual signatures that use 
the same string u>. Signatures Sig. t = (A, V.) where 0 < i < N can be aggre¬ 
gated to Sig = (A V) where U = Ya =0 U * and v = Ya=o 


• Verification: 


(V,P) = e(P u ,U)e £<?G + £ Ci • Q\o, > 


pub 


(4.4) 



iifflttlftlMgtM 


decrypt operation cost: n time individual decryption 
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Figure 4.1: Individual decryption model 


where c,; = PP, (rrii, ID^oj). The batch verification equality (4.4) holds because: 


e(V, P) =e(^2Vi, p\ = e riF “ + E + E ClSk > ■ P ) 

'i =1 ' '£=1 i—1 i =1 ' 

2 i / \ i / 

e ( skpKcQ^IDi > P j II« CiSkpKG ^ 1 IDi > -P 
2 — 0 2—0 ' ' 2=0 ' 

2 i / \ 2 / 

=n<w)n« ,skpKoP J J^[ e ( CiQ) Di , skpKcP 

i= 0 i—0 ' ' i=0 ' 

=e ( p “’E^) e ( E QlDii Ppub'j 6 ' c iQlDi ’ Ppub^j 


=e{P u ,U)e(y j Q% i +Y J C l Q) Dt ,P. F . 


4.3 Batch Decryption and Batch Key Agreement 

In the above sections, we focus on signature aggregation and batch verification. 
From now on, we focus our attention to batch decryption and key agreement schemes. 
In batch decryption, batch RSA based on the RSA scheme is a frequently used example 
to explain this concept. Batch RSA was first proposed by Fiat [111] in 1989 and later 
developed by Boneh and Shacham [43] in 2002. It is designed to speed up RSA decryp- 
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Figure 4.2: Universal batch decryption model 


tion and signing algorithms. Batch RSA has many applications. Since it was proposed, 
it has attracted many researchers and industry engineers. Shacham and Boneh [242] im¬ 
proved performance of SSL based on batch RSA. Yacobi and Beller [298] applied the 
mathematical ideas of batch RSA to DH-based schemes. They proposed a batch Diffie- 
Hellman key agreement scheme. Figure 4.1 gives an individual decryption model where 
messages are encrypted by the different public keys and sent to decryption module in¬ 
dividually and the decryption operations are performed one by one. Thus, the total cost 
is n times individual decryption in the dotted line box (we assume that it is a server) in 
Figure 4.1. 

We are trying to find a way to improve the efficiency by a batch model instead of 
this individual decryption model. Figure 4.2 gives a universal batch decryption model 
where the messages are encrypted by the different public keys and sent to decryption 
module individually. The decryption module first merges these ciphertexts, decrypts 
using its secret key only once , and splits to individual plaintexts. 

Batch RSA can do a number of RSA decryptions for approximately the cost of a 
single decryption. 

For the integrally introducing batch RSA, we first give the RSA scheme and then 
give Fiat’s batch RSA and Boneh and Shacham’s batch RSA. 
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4.3.1 Review of RSA 

RSA [233] is the most widely deployed public key cryptosystem. It is used for se¬ 
curing web traffic, e-mail, and some wireless devices. Since RSA is based on arithmetic 
modulo large integer numbers it might be slow in constrained environments. For exam¬ 
ple, 1024-bit RSA decryption on a small handheld device such as the PalmPilot III can 
take as long as 30 seconds. Similarly, on a heavily loaded web server, RSA decryption 
significantly reduces the number of SSL requests per second that the server can handle. 
Typically, one improves performance of RSA using special-purpose hardware. Current 
RSA coprocessors can perform as many as 10,000 RSA decryptions per second (using 
a 1024-bit modulus) and even faster processors are coming out. 

The RSA encryption scheme can be summarized as follows. The public key is the 
pair (TV, e), where N is the product of two large primes p and q, and e is chosen to be 
coprime to Euler’s function <j>(N). The private key is d where d = e -1 (mod </>(N)). 

To encrypt a message m, one computes the ciphertext c as follows: 

c=m e (mod N) (4.5) 

To decrypt the ciphertext c, one computes 

m = c d (mod N) = c 1 ^ e (mod N). (4.6) 

Thus, every decryption consists of one full-sized modular exponentiation. 

Later, Quisquater and Couvreur [230] suggested the use of the Chinese Remain¬ 
der Theorem (CRT) in order to make the decryption run slightly faster. It is standard 
practice to employ the Chinese Remainder Theorem for RSA decryption. Rather than 
compute a c d mod N, the decryptor evaluates: 


m p <— c dp mod p 


(4.7) 
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and 

uiq <— c q q mod q (4.8) 

Here, d p = d (mod p— 1) and d q = d (mod q — 1). Then the decryptor uses the CRT 
to calculate m from m p and m q . This is approximately four times faster than evaluating 
c d (mod N) directly. 

Generally speaking, a small value of e is chosen, which is coprime to cf>(N ), and 
d will be 0((f>(N)). In fact, if d was too small (less than exponential in the security 
parameter), it would allow the cryptanalyst to attack the scheme. Weiner [296] gives 
attacks on the short private key d of RSA. 


Problem 4.3.1. How to cut down the cost of decryption with a batch of ciphertext? 
Fiat’s batch RSA gives us the first answer to this problem. 


4.3.2 Batch RSA 

Fiat’s batch RSA [111] can be shown in Figure 4.3. Let e\, e 2 ,..., e& be b different 


Merge One decrypt Split 



Figure 4.3: Batch RSA decryption 


encryption exponents, coprime to <t>(N) and to each other where N is defined as in the 
RSA scheme. Let 

b 

e = Y[ei 

i =1 


(4.9) 
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be O bits long. Given ciphertext c\, C 2 ,..., Cb related to plaintext mi, m 2 ,..., nib, our 
goal is to generate the b roots (decryptions): 

c i^ 1 , c 2^ 62 , • ■ •, c t/ ei> mod TV. (4.10) 

Let T be a binary tree with leaves labeled ei, 62 ,..., 65 . Let d; denote the depth 
of the leaf labeled e*, T should be constructed so that W = Yn=i di loge* is mini¬ 
mized similar to the Huffman code tree construction. For the main result of Of log 2 N) 
multiplications per RSA operation. Fiat’s scheme could simply assume that T is a full 
binary tree. In practice, there is some advantage in using a tree that minimizes the sum 
of weight times path length because the work performed is proportional to the sum W 
above. Note that W = O (log b log e). Finally, Fiat shows that the number of multipli¬ 
cations required to compute the b roots above is 0(W + log N). 

In Fiat’s scheme, the first goal is to generate the product: 

A 0 = cl /ei ■ c e 2 /e2 . c h /eb . (4.11) 


Fiat also shows that this requires 0(W) multiplications. Use the binary tree T as a 
guide, working from the leaves to the root. Every internal node takes the recursive result 
from the left branch (L) raises it to the power E r where Eh is the product of the labels 
associated with leaves on the right branch. Similarly, each node takes the result from 
the right branch (R) and raises it to the power Eh, which is the product of the labels on 
the left branch. Each node saves the intermediate results L Er and R El (required later). 
The result associated with this node is L Er ■ R El . The product Aq is simply the result 
associated with the root. 

Second, it extracts the e-th root of the product A^: 


A = A 


l/e 

0 


1/ei 


c 


1 / e-2 
2 


. r 1/eb 

L b 


mod N 


(4.12) 
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This involves O(logiV) modular multiplications which is equivalent to one RSA 
decryption. 

Third, the factors of A are the roots. The next goal is to break the product A into 
two subproducts, the breakup is implied by the structure of the binary tree T used to 
generate the product C. The scheme repeats this recursively to break up the product 
into its b factors. 

Let ei, e 2 ,..., efc be the labels associated with the left branch of the root of the 
binary tree T. Define an exponent X by means of the Chinese Remainder Theorem 
(CRT): 

X = 0 (mod ei) 

X = 0 (mod e 2 ) 

X = 0 (mod efc) (4.13) 

X =1 (mod e k+ i) 

X = 1 (mod efc) 

There is a unique solution for X modulo e = Jli =1 e, by CRT. By (4.13), let 

k 

X= (ll e *)- Xl (414) 

2—1 

and 

b 

X ~1 = (l[ e i)-X 2 , (4.15) 

i=k+1 

where X\, X 2 are positive integers. Let Pi = nt=i e > anc * -f *2 = rii=fc+r e i, then 
X = P\ ■ X\ and X — 1 = P 2 ■ X 2 . Compute 

Ci = cf l/ei • c ^ l/e2 . cl 1,ek mod N (4.16) 
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and 

C 2 = c? + { ek+1 • c^ 2 ek+2 .cf 2/eb mod N (4.17) 


Note that C\ and C 2 have been computed, as the left and right branch values of the root, 
during the tree-based computation of A 0 . 

Raise A to the 7f-th power modulo N, it follows from 


A x 




p 2 * 2 b 



i=k -\-1 


=C' 1 Yl 


C, f 2 


b 



i=k +1 


that Q -2 = Ul + icl /e \ and so Qi = JliLi since Qi = A-IQi- A f ter that, it 
recursively breaks up the two products Q-\ and Q 2 , respectively, until each c t ' is 
obtained. Thus, the overall number of multiplications is (D(W). The number of modular 
divisions required is 0(b). 

To summarize this method, we introduce the following theorem. 


Theorem 4.3.2 (Fiat [111]). Let e\, e 2 ,..., e& be b different encryption exponents, rel¬ 
atively prime to <j>(N) and to each other. Given the ciphertexts C\ , c 2 ,. ■ ■, Ct„ we can 
generate the b roots 

c\ lei ,c 2 /e2 ,...,c b /eb mod N 

in 0(log6(J^ =1 log ej) + log7V) modular multiplications and 0{b ) modular divisions. 

Fiat’s batch RSA gave an example when using small public exponents e\ and e 2 , it 
decrypts two ciphertexts for approximately the price of one decryption. 

Suppose Ci is a ciphertext obtained by encrypting some plaintext mi using the pub¬ 
lic key (N, 3), and c 2 is a ciphertext for some m 2 using (TV, 5). To decrypt, they must 
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compute c 


1/3 

1 


and c 


1/5 

2 


(mod N). Fiat observed that by setting 


A = {c\.ciy/'\ 


(4.18) 


one obtains 


and 



1/5 


A 6 

cj-c 2 ' 


(4.19) 


(4.20) 


Hence, at the cost of computing a single 15th root and some additional arithmetic, it is 
able to decrypt both c\ and c 2 . Computing a 15th root is considered to take the same 
time as a single RSA decryption in this case. 

Boneh and Shacham [43] generalized (4.19) and (4.20) to 



A a < 


(ai-l)/ei 






(mod N) 


(4.21) 


where a,; satisfies 

! 1 (mod e»), 

(4.22) 

0 (mod ej), for j ^ i, 

where 1 < i,j < b. 

This method requires b different modular inversions whereas Fiat’s tree-based 
method requires 2b modular inversions, but fewer auxiliary multiplications. Thus, 
Boneh and Shacham give an improvement to Fiat’s scheme. However, in Boneh and 
Shacham’s scheme, it is still required to solve the systems of linear congruences Equa¬ 
tions (4.22) with b modular inversions. In addition, it is not easy to implement in 
hardware using these different public keys (ei, e 2 ,..., ei,) as the modular equipped in 
advance in the chip based systems. Thus, we leave the following problems: 
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Problem 4.3.3. For each b, how to obtain all ctj’s satisfying Equation (4.22) without any 
modular operation? 

Problem 4.3.4. Are there any other methods to split the plaintext directly like Equa¬ 
tion (4.21)? 

Once Problem 4.3.3 is solved, we can directly obtain r?Zj satisfying Equation (4.21) 
using only one modular N, which allows us to implement batch RS A in hardware easily. 
If the answer to Problem 4.3.4 is positive, we can get more methods to split plaintext to 
individual. We will discuss it in Section 4.4. 

4.3.3 Batch Key Agreement 

In this section, we consider a star-like network to present the batch key agreement. 
For example, in a personal communication system network, the central server, through 
the ports, agrees upon a session key with each of the users. Each port holds a secret key 
that is used to establish a secret channel in the network. 

Yacobi and Beller [298] proposed a solution, in which each of the users picks a 
random number, encrypts it with the public key of the corresponding port, and sends 
it to the counterpart port. The central server decrypts the received ciphertext, and uses 
the random numbers or their hash values as session keys. Yacobi and Beller [298] 
summarized the difference between RSA-based and DH-based key exchange. The basic 
DH scheme was first proposed in [99], which makes the key exchanged individually and 
needs b operations when the number of the users is b. Yacobi and Beller [298] presented 
a batch RSA key agreement as follows: 

• First, the central server with b ports communicates with the users. The central 
server generates a public/private key pair for each port. The modulus is a com¬ 
posite N, which is the product of two large primes p and q. Each port’s public 
key e, is chosen to be prime to Euler’s function (f>{N) and pairwise coprime. The 
private key is di, where d, = e” 1 (mod (f>(N )). 
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• Second, when b users want to agree on session keys individually with the central 
server, each user needs to find an available port and encrypts a chosen random 
number using the port’s public key e*. 

• Third, when the central server receives the ciphertexts from each port i, it takes 
one decryption similar to the batch RSA decryption in the above section and gets 
the random numbers that could finally generate the session keys. 

4.4 Batch RSA’s Implementation Based on Diophantine 
Equations 

In this section, we introduce our batch RSA implementation based on Diophantine 
Equations. Our implementation of batch RSA reduces 6—1 modular inversion com¬ 
putation compared with Fiat’s batch RSA and Boneh and Shacham’s implementations. 
Furthermore, our implementation is more suitable for hardware circuits. If we apply 
this algorithm to a hardware circuit for batch RSA decryption, our implementation re¬ 
quires only one circuit module to do modular operations for N, while each of the other 
two implementations requires b different modules to do modular operations, which is 
difficult to be written into chips in advance and varies for every decryption. 

4.4.1 Implementation Based on Plus-Type Equations 

We find that the solutions of the Diophantine equation 

^ -h ]^[ — = 1, 2 < xi < x 2 < ■ ■ ■ < x n (4.23) 

tXy o X-, 

l<i<n l<i<n 

can be used to implement batch RSA so that the plaintexts can be constructed directly 
and the whole decryption only uses modular N. We call Equation (4.23) a Plus-Type 
Diophantine Equation or Plus-Type Equation. For convenience, throughout this book. 



4.4. BATCH RSA’S IMPLEMENTATION BASED ON DIOPHANTINE EQNS 189 


Equation (4.23) with n unknown variables is denoted as Equation (4.23)„. 

Our new implementation of batch RSA contains three algorithms: KeyGen, 
Encrypt, and Decrypt. The essence of the new implementation is in the decryption 
algorithm. 

• KeyGen: This algorithm follows Fiat’s batch RSA key generation algorithm ex¬ 
cept choosing the public keys e\, e 2 , • • •, e& from solutions of Equation (4.23) n , 
that is, {ei, e 2 ,... ,e b } C {xi,x 2 , ■ ■ ■ ,x n }. 

• Encrypt: This algorithm is same as in Fiat’s batch RSA. 

• Decrypt: This algorithm consists of three steps: 

- “Merge”: The algorithm evaluates Aq = J| 1<i<6 0^* mod N. This com¬ 
putation can be finished by Fiat’s optimized algorithm [111]. 

- “One decrypt”: The algorithm evaluates one full-scale modular exponentia¬ 
tion A = Aq mod N. 

- “Split”: The essence of our implementation is 


Ot-i — 


n 


1 <j<n X j 


(4.24) 


where 1 < i < b, and it outputs 1 


mi = 


\<Xi+l)/ei -pr <Xihj 

c i ■ ll,/, r , 


A«i 


(mod N ). 


(4.25) 


Remark 4.4.1. In our decrypt algorithm, after the plaintext (mi, m 2 ,... are 

decrypted, the final mj, can be calculated by 

m b = — 5^1 - (mod N), (4.26) 

I I ,= i mj 

1 Equation (4.25) is slightly different from Equation (4.22) since we choose the Plus-Type Equation. 
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where the computation can be reduced. 

Remark 4.4.2. If the public keys ei, e 2 ,..., ei, are chosen arbitrarily (not from the solu¬ 
tion (xi,X 2 , x n ) of Equation (4.23)„), Equation (4.25) also satisfies when a,; satis¬ 
fies 

! -l (mod e^, 

(4.27) 

0 (mod ej), for j^i. 

Theorem 4.4.3 (Correctness). The above scheme is correct. 

Proof. From A = mod N , we have 

A = c\ /e% (mod iV). 

1 <i<b 

Since (x \,..., x n ) is a solution of Equation (4.23)„, we have 

III <k<n Xk . , , . 

--= —1 (mod xA 

Xi 

and lh = 0 (mod Xj) (for all i, j such that 1 < * < n, 1 < j < n, j ^ i ). 

Hence e,|aj + 1 and e :l \ a t (for all i, j such that 1 < i < b, 1 < j < b, j ^ i). In 
Equation (4.25), all the modular exponentiations are integer exponentiations. Therefore, 
it follows from a direct computation that rrii = cj^ (mod N). where 1 < i < n. □ 


For a simple example, we choose a solution (2, 3, 7) of Equation (4.23)3 a 'id take 3 
and 7 as the public keys ei and e 2 , respectively. Thus, 




riixjo x j 2-3-7 

at = ——-= —-— = 14, 

ei 3 


(4.28) 


3 


(4.29) 
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and 


012 


I! 


l<j<3 X i 

e 2 


2-3-7 


= 6 . 


Thus, we can get m, : as follows: 


(4.30) 


(mod N), (4.31) 

(mod N). (4.32) 

In fact, mb can be obtained through Remark 4.4.1. As shown in the above example, if 
we compute m 2 first and then compute mi = we can finish the split (decryption) 
efficiently. Therefore, we give a new method to compute at without any modular op¬ 
eration and a new method to split the plaintext. And so, the answer to Problem 4.3.4 
is “YES”. As far as Problem 4.3.3 is concerned, for arbitrary positive integer 6, we are 
able to find many a,’s. Furthermore, if b is not greater than 8, we are able to find all 
cti’s. We will introduce our work towards these problems in detail in Section 4.5. 

Here, we would like to point out the differences among Fiat’s RSA, Boneh and 
Shacham’s Batch RSA and our implementation. The advantage of our implementation 
is that there is only one modular, mod N, while both Fiat’s batch RSA and Boneh and 
Shacham’s implementation require at least b modulars. 


and 


mi = 


A 14 


m 2 = 


cf • c 2 
A 6 


Fiat’s batch RSA: In KeyGen, {ei,..., ti ,} are randomly picked. In Decrypt, Fiat’s 
tree-based method requires 26+1 modulars. k is chosen so that 1 < k < b. Let 

Pi = Yli<i< k ei. Pi = n fe <i< b x, = Pf 1 mod P 2 , X 2 = Then 

compute 


A p ' x ' 


(III <i< fc cf l/e ’ 


) Pi (n 


X 2 /e 2 


k<i<b 


)p 2 


(mod N) = rrij (mod N), 
k<i<b 
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and 

=P——- (mod N) = TT rrii (mod N). 

n k<i<b™i 

This process is done recursively until mi, m 2 ,..., raj are calculated. 

Boneh and Shacham’s improvement: In Decrypt, a, is obtained from Equa¬ 
tions (4.22). Then mi,... ,mj_i are evaluated by Equation (4.21). m;> is cal¬ 
culated by mb = rr——- mod N. The evaluation of a±, a 2 , ■ ■. , ctj, requires 

i tl<J<i, m 3 

b modulars. 

Our implementation: «i, a 2) ■ ■ ■ ,&b are evaluated directly from the solution of Equa¬ 
tion (4.23). Therefore, 6—1 modulars are reduced. Furthermore, we get the 
plaintext ?n,; from Equation (4.21). 


4.4.2 A Concrete Example Based on Plus-Type Equations 


We give a concrete example to explain our algorithm to show its advantage. 


KeyGen: Let the batch size 6 = 7. Randomly choose two 512-bit primes p and q: 

p =10117548898104292384286149905619010120991278203895691114024386173114298 
44196706850901843445909220802938862195711111823138805089269233175589739 
8024486601967, 

q =11942104782310447106884510125435655207765533763318483151065949254099976 
07148379656268155866005262065749842699695077677106764786988072219334757 


0651658382099 . 
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Let N = p ■ q. 

N =12082482908131106460128885334610470733722100002825862245001246171456821 
80012763601040492827413417501769408868451698340800241737759849184798713 
84311467341679006113447482380675139998093264657381057047502767534877118 
98885364204757448057797883429393903920166667955622009797159159329896972 
3360357448012917410988733. 

We also randomly choose a solution (ati, x%, ...,Xg) of Equation (4.23)g where 
(x 1} X 2 , xg) = (2,5,7,11,17,157,961,4398619). 

Choose the public keys as a subset of {xi,X 2 , ..., Xs}- for example. 


ei = 5, e 2 = 7, eg = 11, e 4 = 17, eg = 157, eg = 961, e 7 = 4398619. 


We compute 

x = Xi = 8687184244716670. 

l<i<8 

Thus, the public key is ( N , b = 7, ei, ..., e-?, x). We compute the private key d = 
(rii<j <7 Gj) -1 (mod <j>(N)). d is as follows: 

d =51876628765295878339434317579819334450607160465137205859602663251881894 
76248150332865697383721278328392362980310483479730993621055438208436678 
79229731524489835689222861536030650222353925195560713659815910775865522 
82418304145301163771498370785315888078449179919532145099665908400332933 


900700629001536377165451. 
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Encrypt: In this algorithm, we randomly choose a set of plaintexts as follows: 

mi =42216335483922430422828646305226638636955551187036758338218940369050771 
71838777670539200939753400187558122765253611872592118414072653271581340 
49557150686378816189760567012318705743611765112882799638223233870402496 
60612305070655416046124619992356068472712803701841057530336101962637429 
708518613124606072032913, 

m 2 =11515339478373653799409100162804092001627376847524519454456897879722755 
72450525649782084136951971592156312409505014881084133776507758249194091 
01745183559536347953424619444068351729672938002818082476781228433719588 
49030458058556915325246572500148818313879322593916775020883447348607809 
3654331805097407477851212, 

m 3 =47564196149813970007363884131737190884763138301794058772403642723080473 
12035300434644530039033892729163849746746554561004845842905132968056260 
46689776922999970386770238498695474858361140251559169316946590930490790 
74855077783622152296547567667859890106605979365108882896772768642533878 
129671533527391835259813, 

m 4 =47076113695544237253122064671136422055958210860752623025678325581081815 
84726955718832078797363240141336812574782622687307406041247418256240938 
54400992362572138986858352204679423469820466914319036593211022030949477 
53860823597327978844407313209862946613671724072935020256407939759987354 
078957243653508906462050, 

m s =30568044214000539098104805334573980758657958880378082233476394264866596 
11473267935711445240332623905770776659086150428617242444099500783232312 
04676910816693107200514851741175379334306919644777051154134292280179732 
07188602119552456911467534569434906151478718718595432509630542457525910 


131946213578956292963396, 
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m 6 =41377747175811034232018876246074059499644813172580074927939214929882998 
79343270705904474700195302890675803041195770969714258620664937410522441 
78736605455167725304146829924000744594614850114240963709159146374669699 
62099112312462790622604288246922576918641763721175549148057922321723822 
247230264707138113937042, 
and 

m 7 =18771896161902354107492151420608960655175748847557766591096333115544693 
88639115772459886403263920691549973938090162854541237354779139974823373 
22150711283782344174258728142522160188013242155927394712955764457748723 
37172809149112059845297173025509381745188281479782761341318653942719134 
671008123932040544891767. 

Since the ciphertext c,; is computed as follows c, = rn-' (mod N), where 1 < i < 7. 
The ciphertexts are 

Cl =32162445244401743657170446510623926600937713705351525278004836278347467 
78927818565931306900626346594961086912725141809256522635855273218400519 
72284664046732942258138795733271680027669332436406173493987951365152414 
60797459530585405018120324737308623849797695612736566101235396092740354 
722520913907481538932914, 

c 2 =11126467052899354989487810154732066615105697509420849586673823566312709 
37106371291521967449468618459618164119164667029310985402655564125542964 
94010110454544233209099018186584811824903310123116178433727720898855237 
28984076826348484900130452142401788332892321945373838606441449511625255 
9429226960199357541705876, 

c 3 =42702738253874326011706347202093584148640737529891335287560057328232353 
12936031281751279979434019357164808476168319559847561796277935971011335 
12500689235545118116809962307591329406164127984458850739739240726187291 
08244500104462787099197514522083354004527717032842340463375898989280266 


039035464356357669755894, 
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c 4 =12040562557445113732473911652223993486907469290295457468128810943319836 
89865239881378622819502882220194632147152122716053991772220199156765230 
27510298197878920424163371390730684468025560664928791033866500650711867 
64062267173825842140914417574375291482513842223759443700367430229129300 
5181012290132879477619117, 

c 5 =66699227296798574343397095996822802356352501707241226477647274006905968 
10673854955408065485554029221240872924799602606228672828557689341973222 
51563295263105644219421197195443848039478669501756964029791476750411047 
04900146183224578433038704943628899192782802758784232421703243761756962 
894634288996400822908449, 

cq =35842810907626545862969792069041104823971684976414879250901086369792821 
45580427757242397757516407715510081504624842581515104846891405331533253 
61167679156090524981249642173885098604795315049563957046069182482249951 
05623301480564801725462585729948675579745223831303862071442959713127023 
481367052128284782369023, 
and 

c 7 =47155671451031215409844124716042641165572494776610186942841230939281162 
67241186266669860841735961194282501443823932882005051795195976808037886 
40329386789302925870414294037418371443238801520123232628229674559133870 
46744561955317811032439098967200824031961905675407869670714450791407371 


569282383073692093702050. 
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Decrypt: In this algorithm, we first merge these ciphertexts to evaluate A$ by Fiat’s 
method. 

Ao =52359866444019503369219138689244129876435136131866887023807097362559424 
85204585255108074606984294095293919326326201521808678582533044952634349 
94510658185476933422534369085535424171842256268376777043427683909828453 
16021327514525201378524377441114039247482047879358064064184921287633493 
11895521745079888137070, 

After that, we take one decryption which does a full-scale modular exponentiation A = 

A$ (mod N): 

A =97020381281501165266847566088201413180464241138685997123851463155123151 
43976735868920221887471189785523640074792116012536463406101039184891861 
98642917692578018622021094482005608364078487921673756050283179384743906 
97318487470321735651171108807814620809108832763769829503607711597977756 
914765803133937106665598. 

Finally, from Equation (4.24), we split the plaintext using the following a,. 


0-1 = 

1737436848943334, 

a 2 

1241026320673810, 

O 3 = 

789744022246970, 

■ 

511010837924510, 

a 5 = 

55332383724310, 

■ = 

9039733865470, 

Oy = 

1974979930. 
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We get the plaintext from Equation (4.25). 


m 1 = 


n 


2<j<7 


A a i 


_ 347487369788667 248205264134762 157948804449394 

= Ci • C 2 • C 3 

102202167584902 11066476744862 1807946773094 

■ C 4 • C5 • Cg 


_ c 394995986 ^-1737436848943334 ^ 


We can find that rn\ = m i, which shows the correctness of our implementation. Note 
that TO 2 , m 3 5 • • •) W '7 can be computed in the same way from Equation (4.25) and Equa¬ 
tion (4.26). In fact, we compute m 2 , TO 3 ,..., my first and then compute to 1 as Re¬ 
mark 4.4.1, we can finish the split (decryption) efficiently. 


4.4.3 Implementation Based on Minus-Type Equations 

We find that the solutions of the following Diophantine Equation 

^ - ]^[ — = 1, 2 < xi < x 2 < ■ ■ ■ < x n (4.33) 

l<i<n l<i<n ^ 

can also be used to implement batch RSA so that a: t , which satisfies Equation (4.22), 
can be constructed directly and the whole decryption only uses modular N. We call 
Equation (4.33) the Minus-Type Diophantine Equation or Minus-Type Equation. For 
convenience, throughout this book. Equation (4.33) with n unknown variables is de¬ 
noted as Equation (4.33)„. 

Our new implementation of batch RSA also contains three algorithms: KeyGen, 
Encrypt, and Decrypt. The essence of the implementation is in the decryption algo¬ 
rithm. Algorithm KeyGen and Encrypt are the same as our implementation based on 
the Plus-Type Equations. 

Decrypt: This algorithm takes a public key (IV, b,e 1, e 2 ,..., ej,, x = Y[ 1<i<n x i)> 
a private key d, and ciphertexts Ci, c 2 ,..., c& as input. It evaluates Aq = Ili<i<b 
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(mod N) by the methods proposed by Fiat, and A = Aq (mod N). Obviously 


A = rrii (mod N). 


Then it evaluates 


l<i<b 


oti = —, 1 < i < 6, 

e-i 


and it outputs 


A° 


rrii = 


C 


(ai-l)/ei 


n c 3 


oti/ej 


(mod TV), 1 < i < b. 


(4.34) 


Remark 4.4.4. In our decrypt algorithm, after the plaintext (mi,m 2 , ■ ■ ■, m&-i) are 
decrypted, the final rrii, can be calculated by 


mb = ^=f- mod N 

where computation can be reduced. 

In our implementation, 6—1 modulars are reduced, compared with Fiat’s batch 
RSA and Boneh and Shacham’s improvement. Since (xi, X 2 , • ■ •, x n ) is a solution of 
Equation (4.33)„ and {ei,e 2 , ■ ■ ■, eb} C {x\, X 2 , ■ ■ ■, x n }, a±, 0 . 2 , ■ ■ ■, &b are evalu- 
ated by at = — 1 -^- n 3 without modular inversion. Therefore, there is only one kind 
of modular operations, which is “mod TV.” If we make a hardware circuit for batch RSA 
decryption, then our implementation requires one circuit module doing modular opera¬ 
tions, and other two implementations both require 6 modules doing modular operations. 
Our implementation is more suitable for hardware circuit. 


Theorem 4.4.5 (Correctness). The above scheme is correct. 


Proof. See the proof of Theorem 4.4.3. 


□ 
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For a simple example, we choose a solution (2, 3,11,13) of Equation ( 4 . 33)4 and 
take 3,11, and 13 as the public keys e\, e 2 , and e 3 , respectively. 

First, we have 

x = 2-3- 11 -13 = 858, 
and 

e = ei • e 2 • e 3 = 429, 


and 


A = (cf 9/3 • cf 9/11 • cf 9 / 13 )l/429 = (c 143 . ,,39 . ,,33)1/429 (mod N y ( 4 . 35 ) 


Second, we can get a:,: 


and 


Third, we can get m*: 


x 858 „„„ 

011 = — = — = 286, 

e\ 3 

x 858 

a 2 = — = — = 78, 
e 2 11 


x 858 

a 3 = — = — = 66. 
e 3 13 


^4286 


m 1 = 


„95 . „26 . „22 
C 1 c 2 c 3 


(mod N), 


(4.36) 


m 2 and m 3 can be obtained in the same way. 


4.4.4 A Concrete Example Based on Minus-Type Equations 

We explain the implementation by a concrete example. 

KeyGen: Let the batch size 6 = 4. We choose p = 107 and q = 83. Let N = 
p ■ q = 8881. From the solution {a,’i = 2,a : 2 = 3 , 2:3 = 11 , 2:4 = 17 , 2:5 = 59} of 
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Equation ( 4 . 33 )) 5 , we choose the public key as follows: e\ = 3, e-i = 11, = 17, and 

e 4 = 59. Let e = IIi<i<b e * = 33099 and x = Ili<i <5 x i = 66198. The private key 
is d = e _1 (mod <j>{N)) = 4083. 


Encrypt: Suppose the plaintexts are mi = 1000, m 2 = 2000, 777.3 = 3000, and 
m 4 = 4000. We compute the ciphertexts c 4 = 8281, C 2 = 1316, C 3 = 4824, and 
c 4 = 169. 


Decrypt: The algorithm evaluates the following values. We have A 0 = 7441 and 
take one decrypt operation A = A 0 4083 mod 8881 = 4982. We can obtain a,; as 
follows: 


Oil = 

«3 = 


66198 

3 

66198 

17 


= 22066, 
= 3894, 


OL2 = 

a. 4 = 


66198 

11 

66198 

59 


= 6018, 
= 1122 . 


Then the algorithm outputs: 


4982 22066 

1711 = 828l( 22066 - 1 )/3 x 1316 22066 / 11 x 4824 22066 / 17 x 169 22066 / 59 ^ m ° d 8881 '* = 10 °°’ 


where it shows that m[ = mi. Note that m' 2 , m' 3 , and m 4 can be computed in the same 
way: 


, _ 4982 6018 

m 2 =8281 6018 / 3 x 1316( 6018 - 1 )/ 11 x 4824 6018 / 17 x 169 6018 / 59 
, _ 4982 3894 

m 3 = 8281 3894 / 3 x 1316 3894 / 11 x 4824( 3894 ^ 1 )/ 17 x 169 3894 / 59 
, _ 4982 1122 

7714 = 8281 1122 / 3 x 1316 1122 / 11 x 4824 1122 / 17 x legf 1122 - 1 )/ 59 


(mod 8881) = 2000 
(mod 8881) = 3000 
(mod 8881) = 4000. 


Obviously, m' 2 = m- 2 , m' 3 = m 3 , and m 4 = m 4 . 
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4.5 Solving the Diophantine Equations 

4.5.1 Plus-Type Equations 

Algorithms for Solving the Plus-Type Equations 

Equation (4.23) is a special case of the problem of expressing 1 as the sum of distinct 
unit fractions. Equation (4.23) also provides solutions to Znam’s problem: find all 
sequences {Ni ,..., N/.} of integers > 2 with the property that for each i, Ni properly 
divides l+n i<: . <fc j^i ^r I* 1 ^ lc past forty years, many mathematical researchers have 
worked on this equation [50,51,53,57,58,74-76,109,169,263,264,267,268,270], In 
recent years, applications of Equation (4.23) are also found in the graph theory [52,58], 
differential geometry [49,51], and computation theory [103]. 

However, it is impossible to solve the Plus-Type Equation when n > 8 by hand. See 
Table 4.1 for the known possible value intervals for each variable (n = 8). 


Table 4.1: The known possible values 


Xi 

possible values 

Xi 

2 

X2 

[3,5] 

X3 

[7, 13] 

X 4 

[11,71] 

x 5 

[ 17, 3559 ] 

x 6 

[ 67, 3.5 x 10 B ] 

x 7 

[551, 1.0 x 10 ia ] 

x 8 

[ 8.6 x 10 4 , 1.1 x 10 26 ] 


Although the following results are known. Equation (4.23)§ has not been solved 
completely until our work was published. Table 4.2 gives the number of solutions for 
n < 8 in previous works. We have presented an algorithm to solve Equation (4.23) 
by elliptic curve method. We found all of the 122 solutions for n = 8 in November, 
2008. The computation was carried out on one personal computer with 2.3 GHz CPU 
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Table 4.2: The number of solutions for n < 8 for Equation ('4.23).,, 


Equations 

Number of solutions 

Year 

Contributor 

n < 6 

15 

1964 

Ke and Sun [169] 

n = 7 

18 

1978 

Janak and Skula [158] 

n = 7 

26 

1987 

Cao, Liu and Zhang [75] [76] 

n = 7 

26 

1988 

Brenton and Hill [51 ] 

n = 8 

119 

1998 

Brenton and Vasiliu [53] 


and lasted 21 days. We have provided the algorithm and all 122 solutions. Although we 
have not solved Equation (4.23) for all the solutions when n = 9, we have generated 
solutions based on known solutions [70], We have found 411 solutions for n = 9, and 
2318 solutions for n = 10. Since our method is universal, it could be used to find a 
number of solutions for n > 10. 

Now, we introduce the algorithm to solve Equation (4.23). Firstly, we state some 
lemmas about Equation (4.23). Then we present the outline and the pseudo codes of the 
algorithm. Finally we propose a new theorem. 

Lemma 4.5.1. Suppose that (aq, x 2 , • ■ •, x n ) is a solution of Equation (4.23) n . Then 
Xi, x 2l ■ ■ •, x n are pairwise coprime. 

Proof. See [51]. □ 

Lemma 4.5.2 (Sun and Cao [268]). Let (x^jX^, ■ ■ ■ ,x^}_f) be the j-th solution of 
Equation (4.23) n _i, 1 < j < Cl(n — 1). Put 

kj(n) = (a4 j) • x { 2 j) . + 1,1 < j < f 2(n - 1). 

Then 

0 (» +1)s0 (« )+ E , ’(^- 1 ) 

j =1 

where d{kj(n)) denotes the number of different positive factors ofkj(n). 
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Proof. The proof consists of two steps: 

Step 1: Let (xi,X 2 , ■ ■ ■ ,x n ) be any solution of Equation (4.23)„. Put x n + 1 = 
rii<i<ra x i + 1- By a direct computation, (xi, X 2 , ■ ■ ■, x n +i) is a solution of Equa¬ 
tion (4.23) n +i. Hence, H(n + 1) > f2(n). 

Step 2: Let (x[^\ x%\ ..., x^2 1 ) be as above. Let k be one positive factor of 
kj(n), such that 1 < k < \J kj(n ). Put 

x { n = II *» + Mn+l= II x i+ k jr^- 

l<i<n—l l<i<n-l 


(i) (i) (i) 

By a direct computation, it is proved that (x{ ,xf ,..., xfC) is a solution of Equa¬ 
tion (4.23)„+i. For each j, 1 < j < 0(n — 1), the number of k satisfying 


1 < k < 


d(kj (n)) 


— 1. Hence, we can generate ( 


Q(n—1) / d(kj(n )) 


solutions of Equation (4.23)„ + i. These solutions are all different from the solu¬ 
tions generated in Step 1, since x^) ^ Y\i<i< n -i x t + 1- Therefore, fi(n + 1 ) > 

n(n) + E?ir 1} -1) • □ 

Lemma 4.5.3. Suppose 2 < X\ < ■ ■ ■ < x n -2 and Xi,X 2 , ■■■ ,x n -2 are pairwise 


coprime. Put 


A= JJ Xi ,B = A— —■ 


Let P and Q be positive integers such that PQ = A 2 + B, P < Q. Put 


%n— 1 


A + P 
B ,X ' 


A + Q 
B 


If B\A + P and B\A + Q, (xi, X 2 , ■ ■ ■, x n ) is a solution to Equation (4.23) n . 

Proof. This lemma is proved by a direct computation. □ 

Lemma 4.5.4. Put X\ = A, where A is an arbitrary positive integer. For 1 < i < n, 
let Xi- |-i be the minimum positive integer such that Xj+i > x t and Xj+i is coprime to 
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all xi, x 2 , ■ ■ ■, Xi. If 


1 \ ' 1 1 r 1 


l<i<n 


Xi A 


1 <i<n 


there is no solution of Equation (4.23) n with X\ = A. 

Proof Suppose there is one solution of Equation (4.23) n with x\ = A. For 1 < i < n, 
Xi +1 is the minimum positive integer such that Xi +1 > Xi and Xi +1 is coprime to 


X\ , X2 5 • • • ) Xi. 

For all solutions (A. X 2 ,x^, ..., a;* ) of Equation (4.23) n , we have 


e ^7+ n x .- n ^+ n - 1 

l<i<n 1 l<i<n 1 l<i<n 1 l<i<n * 


It is a contradiction. 


□ 


Algorithm Outline-Direct Finding Algorithms 

Fet (xi,X 2 , • • ■, x n ) be a solution of Equation (4.23) n . 

• First we calculate the lower bound of ari, L\, and the upper bound of xi, U-\. 

Fet x\ be A, and Xi +1 be the minimum positive integer such that Xi+ \ > Xi, and 
x i+ 1 is coprime to x\, x 2 , ■ ■ ■, x it 1 < i < n. If J2i<i< n LI + Ili<i< n jr > 1, 
then A £ [L\, Uf\ by Femma 4.5.17. 

For example, for Equation (4.23)s, we hx x-\ =2 and then we get x 2 = 3, 
X 3 = 5, X 4 = 7, £5 = 11, xq = 13, xr = 17, and xs = 19. From 

11111111 1 
2 + 3 + 5 + 7 + ll + 13 + 17 + l9 + 2 • 3 • 5 • 7 • 11 • 13 • 17 • 19 > 

we have 2 £ [L i, U\\. 

• Then for all values of X\ over the range \L -\, U\], we calculate the lower bound of 
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X 2 , L 2 , and the upper bound of X 2 , U 2 . In this way we fix (x\, X 2 , ■ ■ ■, £«), then 
we calculate Lj + i and Ui+ 1, 1 < i < n — 1. 


- From 


we have 



Xi > 


rii<fc<i-i x k 

rii<fe<i-i x k — n 


l<j<i-l,jjtk ^3 


Hence, 


Li — max < Xi- i+l, 


ni< fc<i -i x k 


ni< fc <i_i** Ei< fe<J _in 


l<j<i-l,j^k X 3 


- It follows from 


E 

l<fc<£ 


1 

Xk 


+ (n 


1 + 1 ) — 


> 


E 

l<i<n 


1 


Xi 


+ n 

l<i<n 


1 


Xi 


= 1 


that 


a;* < 


(lWi- 1 **) (n-i + 1 ) 


n 


l<fc< 


-1 x k E 1<k <i-,n 




Therefore, 


(rii<fc<i-i ( n *+1) 

u i = _ 1 _ — _'_ 

rii<fe<i-i _ Ei<fe<*-i n 1 <j<i-ij^k x j 

- When (xi,X2, ■ ■ •, ®i_i) are fixed, put Xi = Ui and let Xj{i < j < n) be 
the minimum positive integer such that Xj is coprime to X \,,.., Xj-% and 
x 3 > Xj- 1. Then £i<i<„ ^ + TIi<i<n £ > !• We can further reduce U t 


based on this fact. 
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• After all the lower/upper bounds of (x\, x 2 , ■ • •, x n -‘>) are calculated, for all val¬ 
ues of Xi over the range [Li,Ui] (1 < * < n — 2 ), put A = Y [ 1<i<n _ 2 x u 
B = A — J2l<i<n-2 LJ- Factorize A 2 + B. For all positive integers P and Q 
such that PQ = A 2 + B, P < Q, put x n -\ = A g P , x n = A g® . If both x n _i 
and x n are integers, (xi,x 2 , • • •, x n ) is a solution of Equation (4.23) n . 

There are many methods to factorize A 2 + B, such as general number field sieve, 
multiple polynomial quadratic sieve, elliptic curve method, and quantum algorithm. 
The general number field sieve [56,88] is the most efficient algorithm known for fac¬ 
toring integers larger than 100 digits. Its complexity is Ln[\,c\, where Ln[ci,c 2 ] = 
(^( e ( c 2 +o(i))(i° g iv) ci (log log n) 1 c i ^ an( j jy j s th e integer to be factorized. The complex¬ 
ity of multiple polynomial quadratic sieve is Ljy[|, 1]. The elliptic curve method [103] 
is the most suitable method for finding small factors. Its running time is dominated by 
the size of the smallest factor, while the complexity of the first two methods is both 
determined by the size of the number to be factored. 

In our algorithm, integers are factorized by the elliptic curve method. Other methods 
also work well. 

Pseudo Codes 

We present the pseudo codes of algorithm for further explanation. 


Algorithm 1 Searchl 


Procedure Searchl (depth) 

Input: depth 

Output: All solutions of Equation (4.23) n . 

1: if depth = n then 

_ n i< fc<Ti—1 x k+i _ 

ril<fc<„-l x k— 22l<fc<„-l Tll<i<n-l,i^:k 


2 : 
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3: 

4: 

5: 

6 : 

7: 

8 : 

9: 

10 : 

11 : 

12 : 

13: 

14: 

15: 

16: 

17: 

18: 

19: 

20 : 

21 : 

22 : 

23: 

24: 

25: 

26: 

27 : 


if x n is an integer then 
output Xi,X2, ■ ■ ■ ,x n 

end if 
end if 

if depth < n then 

Ldepth ^ max {xdept-h — 1 4” 1? 


Ill 


<.k<depth — 1 1 


I""11 < fc < depth — 1 Xk l<.k<.depth — 1 YhKJKdeptk-l^k 1 

in KK j. P (i,-i x k )(n-depth+ 1)_ 


- 1 } 


TT . _ I _ Vi H<fc<dept/i-l 

depth Yll<k<depth-1 Xk ~^2l<k<depth-1 fll 


<. j<. depth —l,j^k ^0 


call ReduceU((iept/i) 

for all Xdepth 4: [Ldepth i ht,depth] tlo 

if (xi, ..., xdepth) are all relatively prime then 
Call Searchl (depth + 1) 

end if 
end for 
end if 

if depth = n — 1 then 

Ldepth ^ max {xdept-h — 1 4” 1? 


Eh 


<.k<depth — 1 1 


I"11 < fc < depth — 1 Xk l<k<.depth— 1 ril<j<depth, — l,j^k 1 

in KK j. P (i,-i a- fc )(»-dep»t+l)_ 


- 1 } 


<. j<. depth —l,j^k 


TT . _ I _ Vi H<fc<dept/i-l 

depth Yll<k<depth-1 Xk ~^l<k<depth-1 FIl 

call ReduceU(dep£/i) 
if U depth L depth ^ 120000 then 

for all Xdepth ^ 

if (xi,..., xdepth) are all relatively prime then 
call Searchl (depth + i) 

end if 
end for 
else 
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28: 

^ ril<Kn-2 x i 

29: 

B ^ A- El<i<n—2 x. 

30: 

C <r- A 2 + B 

31: 

for all positive factors P of C do 

32: 


33: 

if P < Q then 

34: 

X 1 <— A+p 

35: 

x -s— A+ ® 

36: 

if x n -i > x n -2 and both x n 

37: 

Output X\,X2, ■ ■ ■ ,x n 

38: 

end if 

39: 

end if 

40: 

end for 

41: 

end if 

42: end if 


Function 1 reduceU (depth) 

Input: depth 
Output: Nothing. 

Step 1. Xdepth * Udepth 

Step 2. Xdepth+i ■*— the minimum value such that (xi ,..., Xdepth+i) are all 
relatively prime. 

Xdepth +2 <— the minimum value such that (xi, ..., Xdepth +2 ) are all 
relatively prime. 

x n <— the minimum value such that (xi, . .., x n ) are all relatively prime. 
Step 3. If El <i<n hi + TIl<i<n k < then 
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Hdepth ^ Udepth 1 

Goto Step 1. 

End if 


Remark 4.5.5. The complete solutions of Equation (4.23) can be found by running 
Algorithm Searchl(depf/i = 1). 

Remark 4.5.6. Algorithm search can be further optimized. The computation amount of 
decomposing an integer is about 60,000 times as the computation amount of computing 
x n based on (xi,... ,x n -i). Hence, we factorize A 2 + B to get x n -i,x n only if 
U n -i — L n — i > 120,000. 

Remark 4.5.7. We apply the computer program in [4] to factorization. We would like 
to thank D. Alpern again. 

The computer program examines all possible tuple (x \,..., x&), and executes the 
factorization to find x- and Xg for each tuple. The maximum value to be factorized is 
about 10 26 , which can be factorized efficiently by elliptic curve method. Elliptic curve 
method is a randomized method. It may fail to factorize by treating a composite number 
as a prime. We make sure that this method is always successful when the computer 
continues searching for the solutions. 

Theorem 4.5.8. Equation 64.23 jy has only 122 solutions. There is only one solution 
such that x\, ..., Xg are all primes: 2,3,11, 23,31,47059, 2217342227,1729101023519. 

All these 122 solutions can be found in Appendix A. 

New Solutions Generated from Known Solutions 

We propose a new method, which can generate solutions of Equation (4.23)„+3 
from solutions of Equation (4.23), : [68-70]. We call it Gap-three extension algorithm. 
See the following pseudo codes. 
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Algorithm 2 Gap-three Extension 
Procedure GapThreeExtension 

Input: (x\,X 2 , • • •, x n ), one solution of Equation (4.23)„; 

LOW, lower bound of t; HIGH, upper bound of t. 

Output: Solutions of Equation (4.23) n +3 

1 : J Y[l<i<n X i 

2: t<- 1 

3: while t < LOW do 
4: t <- t + 4 

5: end while 

6: while t + 4 < HIGH do 

7: if i is not coprime to any of xi, X 2 , ■ ■ ■, x n then 

8 : Continue 

9: end if 

10: Factorize J 2 + t 

11 : for each odd positive factor k of J 2 + t do 

12: if k ^ 1 (mod 4) or k = 1 or k is not coprime with any of 

{xi,x 2 , ■ ■ .,x n ) then 
13: continue 

14: end if 

15: x n ^-i i — J 4“ k 

16: x n+ 2 ■‘r- J + J fc +t 

17: if x n+ \ > x n+ 2 , or x n+ \ and x n+ 2 are not coprime then 

18: continue 

19: end if 

20 : 


if t \ [(J 2 + J • k ) 2 + k] then 
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21 

22 

23 

24 


continue 
end if 


X n +3 * - 

if X n+2 >= 


n + l-X„+2 + l 
t 

x n + 3 , or x n +3 is not coprime with any of 


(xi,x 2 , ■ ■ .,x n+2 ) then 


25: continue 

26: end if 

27: return (xi,^,... ,x n+3 ) 

28: end for 

29: t <r- t + 4 

30: end while 


The correctness of this method is based on the following lemma. 

Lemma 4.5.9 (Cao [70]). Let ( x \, x 2 ,..., x n - 2 ) be a solution of Equation (4.23) n _2- 
Put N = Ill<i<n-2 X i■ Then 

N 2 -)- f 

{xi,x 2 ,...,x n - 2 ,x n -i =N + k,x n = N H--— ,x n+ i 

= - t [N(N + k)(N+^^) + 1 ]) 


is a solution of Equation (4.23)„+i, where x n -i,x n ,x n +i are integers satisfying 
x n _i < x n < x n+ i and t,k are positive integers. Moreover, N,k,t are pairwise 
coprime. If2\N, k = t = 1 (mod 4). 

Proof. The proof consists of the following steps: 

Step 1: By a direct computation, it is easy to check that (xi, x 2 ,..., x n +i) is a 
solution of Equation (4.23) n +i. 

Step 2: Set y = x n -i, z = x n , w = x n +i. Then from 

e n ^ 

l<i<n+1 l<*<n+l 
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we have 


Therefore, 


Hence, 


JL — -L ~ I I-r — I — 

y z w j\l • y - z - w 

k _ 11 1 

N • (TV + k) z + w + N- (TV + k) ■ z ■ w 

z ■ w ■ k = TV • (TV + k) ■ w + TV • (TV + k) ■ z + 1. 


Let d denote gcd(TV, k). Then z ■ w ■ k = 0 (mod d ), and TV • (TV + k) ■ w + TV • (TV + 
fc) • 2 + 1 = 1 (mod d). Therefore, d jl. Hence, TV and k are coprime. 

Step 3: Let d! denote gcd(fc, t). From w £ Z, we have f| [TV-(TV+fc)(TV+ jv fc + * )+l]. 
Hence, d'|[TV • (TV + k)(N + + 1], From d'\k, we get d'|[TV 2 (TV + jv ^ + * ) + 1]. 

Since N fc + * £ Z, we have fc|(TV 2 + t). Therefore cZ'|TV 2 . It follows that d'|l. Hence, /c 
and t are coprime. 

Step 4: Let d" denote gcd(TV, t). From 

1 r N 2 -£ t -i 

w=- TV • (TV + k) (TV -I-t—) + 1 , 

Z L Tv - 


it follows that 

—i— f 

W ■ t = TV • (TV + Jfe) (TV + —) +1. 

Tv 

Since d"|(wt) and d"|TV, we have d"|l. Therefore, TV and T are coprime. 

It follows from Steps 2, 3, and 4 that TV, and t are pairwise coprime. 

Step 5: Assume that 2|TV. Since 11 [TV • (TV + k) ■ (TV + N ~ l + t ) + 1] and 2|TV, we 
have 2 \ t. From A: | (TV 2 + t), we have 2 j fc. From (fc, t) = 1, we get (=j^) = 1. Then 
from t|[TV • (TV + k) ■ (TV + jv fc + * ) + 1], we have A| [TV • (TV + fc) • ( nk + TV 2 + t) + k ], 
i.e., f|[TV 2 • (TV + A) 2 + k\. Therefore (^) = 1. We have. 


' = (T)(Thi-»* + *( 1)0 ^ 


t-1 

2 
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Thus, 


k - 1 
2 


t-1 

2 


jfe- 1 
2 


k = t= 1 



(mod 4). 


(mod 2). 


□ 


Now we propose the following new theorem. 

Theorem 4.5.10. Let fl(fc) denote the number of solutions of Equation (4.23)^. We 
have 

Ll(n + 3) > f 2(n + 2) + A(n + 1) + l?(n) + T(n + 2), 

where A{n + 1) = d(kj(n + 2)) is defined in Lemma 

4.5.2, B(n) denotes the number of solutions found by the Algorithm 2 based on n, 
restricted by t > 1 and k > 1, T(n + 2) denotes the number of solutions gener¬ 
ated as follows: (x\, x 2 ,..., x n+ 2 ) be a solution of Equation (4.23) n+ 2 satisfying that 
{x\,X 2 , • • ■, x n+ i) is not a solution of Equation (4.23) ra+ i, and C = (rii<i<n+i x i)~^ 
1. Let k be a factor of C, such that 1 < k < \[C. Put 


Then 


x 'n +2 = II Xi + k ’ x n +3 = II Xi + J- 
l<2<n+l l<i<n+l 


(*^1 5 *^2? • • • 5 ^n+1 j ‘*'n+2> ^n+ 3 ) 


w a solution of Equation (4.23) n _|_3. 


Proof. Let S'(Zc) be the set of all solutions of Equation (4.23)*. In fact there are at 
least four different methods to generate solutions of Equation (4.23) n+;i listed in Ta¬ 
ble 4.6. Methods 3 and 4 are from [70]. They are used firstly to generate solutions of 
Equation (4.23) when n = 9,10 in Theorems 4.5.11 and 4.5.12. 
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Table 4.6: Four methods to generate solutions of Equation (4.23)„+3 


Methods 

Number 

of solutions 

Brief illustration 

Method 1: 

Gap-one 

extension 

Q(n + 2 ) 

3^2} • • • ■> Xn-\-2 ? 

Xn+3 = (ril<i <„+2 x i) + X. 

{xi,X 2 , ■ ■ • ,a;„ +2 ) £ S(n + 2). 

Method 2: 

Gap-two 

extension 

A(n + 1) 

Xl,X2, ■ ■ .,Xn+l,X„+2 = J + k,Xn +3 = J + 

{X 1 ,X 2 , ■ ■ ■ ,X n+ l) £ S(n + 1). 

J = ril<i<n+l X i’ k \( j2 + 1 ). X < fe < VJ 2 + 1 . 

Method 3: 
Gap-three 
extension 

B{n) 

Xl,X2, ■ ■ .,X n ,Xn+1 = N + k,X n + 2 = N + ^±1 ; 

Xn+3 = i(ni<i<„+2*i + X)’ (xi,X 2 , ...,X„)€ S(n). 

N = Ill<i<n Xi,k > l,t > 1, 

Xn-\-l £ ^5 Xn-\-2 £ Xn -\-3 £ 

Method 4: 

(Another gap-one 
extension) 

T(n + 2 ) 

X\, X2i • • • i Xn+l i X n +2 — J T k, X n + 3 J L ^ • 

(* 1 ,X 2 , .. .,x„+ 2 ) G S(n + 2), 

(* 1 ,X 2 , .. -,x n + 1 ) ^ S(n + 1), 

j = rii<i< n+ i Xi, k\(J 2 + 1 ), 1 < k < VJ 2 + 1 . 


We prove that the solutions generated by the four methods are all different. The 
proof consists of the following three steps. 

Step 1: It follows from Lemma 4.5.2 that the solutions generated by Method 2 are 
different from Method 1. 

Step 2: The solutions generated by Method 3 are all different from Method 1. Be¬ 
cause t > 1 , x n+3 < rii<i<n +2 x i + 1 in Method 3, while x n+3 = IIi<i<n +2 x i + 1 
in Method 1. 

The solutions generated by Method 3 are also different from Method 2. Since k > 1, 

(aq, x 2 , ■ ■■, x n+ i) ^ S(n + 1) in Method 3, while {x\, x 2 , ■ ■ ■, x n+ i) € S(n + 1) in 

Method 2. 

Step 3: The solutions generated by Method 4 are all different from Methods 2 and 
3, because ( X\,X 2 , • • • , a; n+ i) ^ S(n + 1), (x\,X 2 , ■ ■ ■ ,x n ) ^ S(n) in Method 4, but 
(xi,X 2 , ■ ■ ■, x n+ i) € S(n + 1) in Method 2, (x\, X 2 , ■ ■ •, x n ) G S{n) in Method 3. 

The solutions generated by Method 4 are also different from Method 1. Since k > 1, 
x n+3 < rii<i<n +2 Xi + l in Method 4, while a ; n+3 = rii<i<n +2 x * + 1 in Method 1. 


216 


CHAPTER 4. BATCH CRYPTOGRAPHY 


Therefore, we have fl(n + 3) > Q(n + 2) + A(n + 1) + B(n) + T(n + 2). □ 


The number of solutions for n = 9,10 

Theorem 4.5.11. There are at least 411 solutions of Equation (4.23)g. 

We found 411 solutions of Equation (4.23)9. The number of solutions found by each 
method is listed in the following Table 4.7 


Table 4.7: Solutions found in Equation (4.23)g. 


Solutions found at least 

Method 

122 

Method 1,12(8) 

205 

Method 2, A(7) 

47 

Method 3, B{ 6 ) 

14 

Method 4, T( 8 ) 

23 

Direct finding 


Because of space limitations, these solutions are listed in 
http://tdt.sjtu.edu.cn/9plus.html and solutions found by different 
methods are also listed separately there. 

Theorem 4.5.12. There are at least 2318 solutions of Equation (4.23)io- 

We also found 2318 solutions of Equation (4.23)io- The number of solutions found 
by each method is listed in Table 4.8 


Table 4.8: Solutions found in Equation (4.23 )iq. 


Solutions found at least 

Method 

411 

Method 1, 0(9) 

1623 

Method 2, A( 8 ) 

284 

Method 3, B(7) 


These solutions are listed in http://tdt.sjtu.edu.cn/10plus.html. 


Solutions found by different methods are also listed separately there. 
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4.5.2 Minus-Type Equations 


Similar to the Plus-Type Equations, we propose a fast algorithm to solve Equa¬ 
tion (4.33) in this section. 


Algorithms for Solving the Minus-Type Equations 

Traditional algorithms to solve Equation (4.33) have high computational complex¬ 
ity. Our algorithm is based on factorizing integers using the elliptic curve method. The 
elliptic curve method is a fast, sub-exponential running time algorithm. We found all 
550 solutions for n = 8, and we list them in this section. But the computation amount 
for n = 9 is beyond our computational capacity. We cannot solve Equation (4.33) 
for n = 9 directly. Therefore, we propose new methods to generate solutions from 
known solutions of Equation (4.23) with less variables. We have found 1547 solutions 
for n = 9 and 18984 solutions for n = 10. Due to space limitations, these solu¬ 
tions are published at webpage http : //tdt. s jtu . edu. cn/ 9minus . html and 
http: //tdt. s jtu . edu . cn/lOminus . html . These solutions can be used in 
the new batch RSA implementation. 


Table 4.9: Research results about Equation (4.33) 


Results 

Researchers 

Year 

n > 9 —> A(n + 1) > Pl(n) + f l(n — 1) + 6 

Sun and Cao [266] 

1985 

2 j n > 9 —> A(n + 1) > Tt(n) + fl{n — 1) + 10 

Sun and Cao [266] 

1985 

found the complete solutions for n < 6 

Sun and Cao [265] 

1986 

n > 9 —» A(n + 1) > 0 (n) + fl(n — 1) + 10 

Sun and Cao [267] 

1986 

2 | n > 12 —> A(n + 1) > fl(n) + U(n — 1) + 14 

Sun and Cao [267] 

1986 

n > 10 —> A(n + 1) > f2(n) + f l(n — 1) + 16 

Cao, Liu and Zhang [75] 

1987 

2 | n > 12 —>■ A(n + 1) > O (n) + Cl(n - 1) + 18 

Cao, Liu and Zhang [75] 

1987 

> 10 —> A(n + 1) > fl(n) + f2(n — 1) + 34 

Cao [69] 

1988 

2 | n > 12 —> A(n + 1) > fl(n) + ft(n — 1) + 46 

Cao [69] 

1988 


Equation (4.33) also helps to find Giuga numbers. A number K is a Giuga number 
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if and only if p\{f - 1) for all prime divisors p of K, or J2 P \ K \~Y\ v \k\ g N [124], 
Giuga numbers are named after Giuga [124], who formulated a conjecture on primality 
in 1950: N is prime if and only if k N ~ x = 1 (mod N). In 1996, Borwein 

et al. [44] published 11 Giuga numbers. Then Hogan and Mangilin found the 12th 
Giuga number [58], and Girgensohn found another one [58] in 2000. Sloane presented 
13 Giuga numbers [261], We prove that there are only 12 Giuga numbers with less 
than eight distinct prime factors, through the complete solutions of Equation (4.33) for 
n < 8, which are listed in Appendix B and Appendix C. The basic idea is that the 
equation 




P 


-P 


(4.37) 


P\K ' p\K 

is a special case of Equation (4.33). ]Ti <,< n x i ’ s a Giuga number if and only if 
{x\,X2, • • ■, x n ) is a solution of Equation (4.33)^ and x\, x%, ..., x n are all primes. 


In the following section, we propose a fast algorithm to solve Equation (4.33) and 
a method to generate new solutions of Equation (4.33) from known solutions of Equa¬ 
tion (4.23). We first state some useful lemmas. 


Lemma 4.5.13. If(x i, x%,... ,x n ) is a solution of Equation (4.33), then xi,x%,... ,x n 
are pairwise coprime. 


Proof. For any i, j, 1 < i < j < n, put d = gcd(xi, Xj). We have 


n *<[ e ^ 

l<i<n l<i<n 1 


n ^]= n xi ' d \ n 

l<i<n 1 l<i<n 1 <i<n 


Therefore, 

d \ n **i£ n 

1 <i<n l<i<n d " 1 1 <i<n 1 


Hence, d\l, and so d -1. This completes the proof. 


□ 
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Lemma 4.5.14. If (x i, X 2 , ■ ■ ■, x n ) is a solution of Equation (4.33), then 

rii<j<n x :i 1 1 , 

-=^=-= 1 (mod xQ, 1 < i < n. 

Xi 


Proof. By a direct computation, it is easy to prove the lemma. □ 

Lemma 4.5.15 (Sun and Cao [266]). Let {x [ f \ (x^K ■ ■ ., x^l_ ) be the j-th solution 
of Equation (4.23) n _i, 1 < j < fl(n — 1). Put lj(n) = (Yli<i< n -i x i^) 2 ~ T W r e 
have 

A(n+ 1) > U(n) + _ l), 

l<j<fi(n— 1) 

where d(lj(n)) denote the number of different positive factors oflj[n). 

Proof The proof consists of two steps (Cao [70]) : 

Step 1: Let k be a positive factor of lj(n) satisfying 1 < k < y/lj(n). Put 

x n = n ^ + fc ’ a; «+ i = n x i j)+ 

l<i<n-l l<i<n-l 

Direct computation shows that (x\, X 2 , ■ ■ ■, x n +±) is a solution of Equation (4.33)„+i. 
The number of k such that 1 < k < \Jlj (n) is AliA)) _ j Therefore, we can construct 
Ei<j<f!(n-i)(^)^ — 1) solutions of Equation (4.33) ra +i, and all of the solutions 
satisfy x n+ i rf rii<i<„ x i ~ !• 

Step 2: Let (xi,X 2 , ■ ■ ■ ,x n ) be a solution of Equation (4.23) n . Put x n +i = 
rii<i<n Xj - — T Then (x\, X 2 , ■ ■ ■, x n+ \) is a solution of Equation (4.33)„ + i. Since 
x n +1 = rii<i<n x i ' 1’ this solution is different from any other solutions generated in 
step 1. Therefore, A(n + 1) > fl(n) + ~ !)• n 

Lemma 4.5.16. For any solution (&i, x^, ■ ■ ■, x n ) of Equation (4.23)„, put 


3= U x i,x n +i =j + k,x n+2 = j + 


l<i<r 


j 2 + t 1 r ■( ■ 1 ,.; \( ■ I j 2 + 11 

—^,x n+3 = -\j{j + k){j + — 
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where k,t are positive integers. If x n +1 < x n +2 < x n + 3 and x n +i,x n + 2,% n +3 G Z, 
then ( X\, X 2 , ■ ■ ■, x n + 3 ) is a solution of Equation (4.33)„+3, and 

fc|(j 2 +i),i|[i(j + fc)(j + - l],gcd(j,/c) = gcd(k, t) = gcd (j,t) = 1. 

Moreover, 2| j implies (i) the Jacobi symbol (|) = 1; (ii) k = 1 (mod 4) or k = t = 3 
(mod 4). 

Proof. Assume that (ati, #2 >..., x n ) is a solution of Equation (4.23)„. j = rii<i<n 

• 2 , , . - 2 ,, 

Xn +1 = j + k, x n+ 2 = j T 3 -f^, x n+3 = j\j(j + k)(j + - 1 ], where k, and t 

are positive integers. Assume that x n+ i < x n+ 2 < x n+3 and x n+ \, x n+ 2, x n+3 € Z. 
Direct computation shows that (x 3 ,X 2 , • • •, ^n+3) is a solution of Equation (4.33)„+3. 
Put y = x n +i,z = x n+2 , w = x n+3 . We have 

z - 11 h 1 ’ 

l<i<n+3 l<i<n+3 Xl 

, 1111 1 

1 -- + - + - +--- = 1 . 

j y z w jyzw 

Therefore, zwj + ywj + yzj — 1 = yzw. 

Let d denote gcd(j, k), we have d\y since y = j + k. Therefore d\yzw, and so d\l. 

Let d' denote gcd (k, t). Since t\\j(j + k)(j + — 1], we have 

d'\\j(j + k)(j + J -^)-l}. 

From d'\k, we get 

d'\\j 2 {j + ^—j~) — 1]> k\(f + t). 

Therefore d'\j 2 . We have d'\l. 

Let d" denote gcd (j,t). From wt = j(j + k)(j + — 1, and d"\j, d"\wt, it 
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follows that d" = 1. 

Hence, gcd (j,k) = gcd (k,t) = gcd(j,f) = 1. 

Assume that 2| j. Since t\[j(j + k)(j + — 1], we have 2\t. From k\(j 2 + f) 

we have 2 j fc. Then from fc| (j 2 + f) we have 

(y) = 1, j(j + k)(j + J —^) -1 = 0 (mod t ). 


Hence j 2 (j + k) 2 = k (mod t). We have 


,k -t k ,t k fc-i.ifc-iKt-i) 

(f) = 1; 1 = ^T)(f) = ( -1 ) 2 (fc)(f) = ( _1 ) 2 4 ' 


Hence, k = 1 (mod 4) or k = t = 3 (mod 4). 


□ 


Lemma 4.5.17. A is any positive integer. Put X\ = A. For 1 < i < n, let a;, be the 
minimum positive integer satisfying a and Xi is coprime to all xi,X 2 , ■■■, i. 
IfJ2i<i< n T~ ~ rii<i<rj jr < 1, A no solution of Equation (4.33)„ with X\ = A 

Proof. Suppose there is one solution of Equation (4.33) n with x\ = A , which is 
(A, 5 • • •, a;*). For 1 < i < n, since a;* is the minimum positive integer satisfying 

Xi > Xi _i and Xi is coprime to all aq, x%, ■ ■ ■, £i_i- We have 


E 

3 <i<n 


E 

l<i<n 

l 


a;* 


n 

l<i<n 


l i 

— > — 

Xi x\ 


E 


1 


1 


Xi 


1 tt 1 v- 

^ II , - £ 


l 


n 


> 


3 <£<n 


x; 


n 


a;* 


= 1. 


l<i<n 1 1 <i<r 


This completes the proof. 


□ 


Lemma 4.5.18. Suppose 2 < X\ < ■■ ■ < x n _2 and Xi,X 2 , ■ ■ ■ ,x n _2 are pairwise 
coprime. Put 

A= P[ = Y. *■ 

Ki<n-2 l<i<n—2 1 
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Let P and Q be positive integers such that PQ - A 2 - B, P < Q. Put 


A + P A + Q 

%n—l — An — . 


If x n _ 2 < x n _\, x n _i € Z and x n € Z, then (xi,Xii ■ ■ ■ ,x n ) is a solution of Equa¬ 
tion (4.33) n . 


Proof By a direct computation, it is easy to prove the lemma. 


□ 


Algorithm Outline-Direct Finding Algorithms 

Let (x\,X 2 , ..., x n ) be a solution of Equation (4.33) n . 

• First, we calculate L\ (the lower bound of xf) and U\ (the upper bound of xf). 

Let X\ be A, and let ojj+i be the minimum positive integer such that > Xi 
and Xi + 1 are coprimes to any of X\,X 2 , ■ ■ ■ ,Xi, 1 < i < n. If J2i<i<n y- — 
rW„ > 1, then [L\, Ui] by Lemma 4.5.17. 

For example, for Equation (4.33)8, we fix A = 2, then we get x\ = 2, x 2 = 3, 
0:3 = 5, X 4 = 7, x$ = 11, x 8 = 13, X 7 = 17, and xs = 19. 

11111111 1 

2 + 3 + 5 + 7 + LL + T3 + T7 + 19 _ 2-3-5-7-ll-13-17-19 > 

We fix A = 3, then we get X\ = 3, x 2 = 4 , 0:3 = 5 , 0:4 = 7,x 5 = 11, x e = 
13, X 7 = 17, and x 8 = 19. 

11111111 1 

3 + 4 + 5 + 7 + LL + 13 + 17 + l9~ 3 • 4 • 5 • 7 • 11 • 13 • 17 • 19 > ‘ 

We fix A = 4, then we get X\ = 4, x 2 = 5 , 0:3 = 7 , 0:4 = 9 , 0:5 = 11, &6 = 
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13, xr = 17, and xg = 19. 

11111111 1 
4 + 5 + 7 + 9 + n + 13 + 17 + 19^4-5-7-9-ll-13-17-19 < 

Hence, Li = 2, U-\ = 3. 

• Then for all values of x\, x^ i . ■, Xi, Xj £ [Lj , Uj], 1 < j < i, we calculate Lj + i 
and 1 < « < n — 1. 


- From 


we have 


1 1 \ ' 1 yr 1 

-1-4-< -II — = 

o'* _ o'* . r . X X o'* . 

1 l<j<n ^ l<j<n ^ 


> 








Hence, 


L t = max < Xj_i+1, 


rii<fc<i-i x k 

rii<fc<i— i x k — Ei<k<i-i ni< J -<i_i,, ¥fc 


- It follows from 


n —+(«-*+!)—> xi ~~ n 

f o'* j 7* . / 7* . X, _X 7* . 

•X fc* <t/) . . it/) . . it/) 

K 1 l<i<n l<i<n 


= 1 


l<fc<i 


that 


a;,: < 


(ni< fc <i-i*fc)(n-< + 1 ) 


ni< fc «_i** EKw-in 




Therefore, 


Ui = 


(ni< fe <)_i^)(n-*+i) 


ni< fc <i_i* fc e l<k<i-l ni< i <i-i, j¥fc x 3 
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- When (xi,X2, ■ ■ ■ are fixed, we set Xi = Uj and we let Xj(i < 

j < n) be the minimum positive integer such that x :j is coprime to any 

of x±,X2, ■ ■ ■, Xj-i and Xj > Xj-\. Then 


E 

l<i<n 


1 


Xi 


n 7 


l<2<n 


— > l. 

Xi 


We can reduce Ui based on this fact. 


• When (xi,X 2 , • ■ •, a; n -2) are fixed, calculate x n -i,x n by Lemma 4.5.18. Put 
A = n *<« B = A— Y, 7/ 

l<i<n-2 l<i<n—2 1 

Factorize A 2 — B. For all positive integers P and Q such that PQ = A 2 — IT P < 
<5, put 

A + P A + Q 

x n —i = ^ > x n = — . 

If x n -2 < x n -i, x n -i £ Z and x n £ Z, then (#i, X 2 , ■ ■ ■, x n ) is a solution of 
Equation (4.33) n . 


Pseudo Codes 

The pseudo codes of the above algorithms are listed as follows: 


Algorithm 3 Search2 


Procedure Search2(dep</i) 

Input: depth 

Output: All solutions of Equation (4.33)„ 

1: if depth = n then 

. _ Ill <k<n - 1 x k — l _ 

n ni< fc <n-i ^-Ekk„-i ni<i<„-i, i# ** 

if x n is an integer then 


3 : 
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4: output X\, x-i ,..., x n 

5: end if 

6 : else 

7: if depth < n — 1 then 


8 : 

9: 

10 : 

11 : 

12 : 

13: 

14: 

15: 

16: 

17: 

18: 

19: 

20 : 

21 : 

22 : 

23: 

24: 

25: 

26: 

27: 

28: 


Ldepth ^ lTLUX { Xdepth—1 ~L 1 , 


ru 


depth — 1 


Xk 


u, 


depth 


Til<k<depth-1 Xk fc<depi/i—1 ril^depth — l,j^k " 

Hll<k<depth-1 Xk){n-depth+ 1) 


71 } 


I _ ti li<fc<depth-l Xkiyn-aepiri^i, _ 

'-r[l<fc<dept(i-l X k~Hl<k<depth-l Hl<j<depth-l,j^:k X 3 ^ 


call Reduce UpperBou ltd (7i( p//(). 


for all X depth ^ [L depth ■ Udepth\ 0 o 

if (ati, ..., Xdept.h ) are all relatively prime then 
call Search2(depth + 1) 

end if 
end for 


else 


if depth = n — 1 then 


Tdepth ^ max {xdepth— 1 ~\~ 1, 


r 


ru 


.<fc<c£epi/i—1 * 


Til<k<depth-1 Xk X)l< fc<dept/i—1 Th^deptH — l,j^k X 3 

(rii<fc<d epfh-l x k )(n-depth + 1) 


1 } 


depth 1 I~I l<fc<dept/i — 1 X k—T2l<k<depth-1 fl 1 < j <depth- 1, j^tk X 3 ^ 


call Reduc eUpperB ound (de pi h) 


if Udepth L depth L 120000 (see the remark) , then 

IOC all X depth ^ [L depth, hi depth] 0o 

if (aii,..., xdepth) are all relatively prime then 
call Search2(dept/i + 1) 

end if 
end for 


else 


hf ^~ IIl<i<n-2 X ‘ 
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29 

30 

31 
32: 
33: 

34 

35 

36 

37 

38 

39 

40 

41 
42: 
43 


B A ~ El<Kn-2 x, 

C ^ A 2 -B 

for all positive factors P of C ( see the remark) d° 

Q p 

If P < Q then 

x , ME x x- A±Q 

if x n -\ > x n -2 and both x n -i and x n are integers 

then 

return xi, X 2 , • • ■, x n 

end if 
end if 
end for 
end if 
end if 
end if 
end if 


Algorithm 4 Reduce Upper Bound 
Procedure: ReduceUpperB ound (depf /t) 

Input: depth 
Output: Nothing 
1: while TRUE do 

2-- Xdepth ^ Cdepth 

3: for i = depth + 1 to n do 

4: Xi the minimum value such that (xi,X 2 , ■ ■ ■, xi) are all relatively 

prime 


5: 


end for 






4.5. SOLVING THE DIOPHANTINE EQUATIONS 


227 


6: if Ekk„ ~ IIi <i< n h < 1 then 

7• Udepth ^ Udepth 1 

8 : else 

9: return 

10: end if 

11: end while 


Remark 4.5.19. The complete solutions of Equation (4.33) are found by running Algo¬ 
rithm Search2(dept/i = 1). 

Remark 4.5.20. Algorithm Search2 can be further optimized. The computation 
amount of factoring an integer is about 60,000 times as that of computing x n from 
(aq, x 2 , • ■ ■, x n _i). Hence, we factorize A 2 — B to getx„_i,x„ only if U n -\ — L n _i > 
120 , 000 . 

Remark 4.5.21. The integer factorization algorithm is based on Alpern’s [4] contribu¬ 
tion. 

New Solutions Generated from Known Solutions 

The new solutions of Minus-type Equation (4.33) can be extracted from the solu¬ 
tions of Plus-type Equation (4.23). The following four methods generate new solutions 
from known solutions of Equation (4.23). 

• Method 1: Gap-one extension. For each solution (xi,X 2 , ■ ■ ■ ,x n ) of Equa¬ 
tion (4.23) n , we set x n+ i = rii<i< ra x i~ then (aq, x 2 ,..., x n+ \) is a solution 
of Equation (4.33)„ + i. 

• Method 2: Gap-two extension. For each solution (x±, X 2 , ■ ■ ■, x n ) of Equa¬ 
tion (4.23) n , we set J = Yli<i< n x i> C = J 2 — 1. Then we factor C. For 
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each positive factor k of C, we set 


Xn -\-1 J ~\~ kj X n -\-2 J • 

If x n < x n+ \ < x n+ 2 , then (xi,x 2 ,... ,x n+2 ) is a solution of Equa¬ 
tion (4.33) n+2 . 

• Method 3: Gap-three extension. For each solution (xi,x 2 , ■ ■ ■, x n ) of Equa¬ 
tion (4.23)„, put J = rii<i<n x i■ F° r eac h °dd integer t > 0, one factors J 2 + 1. 
For each positive factor k of J 2 + f, put 

. J 2 + 1 1, , 

X n -\-l J T Kj X n -\- 2 — J - 1~ — , £ n _|_3 — J X n -\-\ • X n -^- 2 1J. 


Then (x\, x 2 ,..., x n + 3 ) is probably a solution of Equation (4.33) n +3. 

• Method 4: Gap-two extension + . Randomly choose (xi,x 2 ,... ,x n ), such that 
x\, x 2 ,..., x n are pairwise coprime, 2 < x\ <■■■ < x n . Let 


A= x *> 

l<i<n 


B = 


E 

l<i<n 


A 

Xi 


For all P,Q such that 1 < P < Q, PQ = A 2 — B, let 


^n+1 


A -\- P A + Q 

B ’ Xn+2 = B 


If x n < x n+ \, x n+ \ G Z and x n+2 G Z, then (x\,x 2 ,..., x n+2 ) is a solution of 
Equation (4.33) n+2 . 

The number of solutions for n = 8,9,10 

All the solutions of Minus-Type Equations for n < 7 are listed in Appendix B. We 


also have the following results: 
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Theorem 4.5.22. The number of the complete solutions of Equation (4.33)s is 550 
(listed in Appendix C). 


Corollary 4.5.23. There are only 12 Giuga numbers with no more than eight distinct 
prime factors. 


Proof. A number K is a Giuga number if and only if ^ — W v \k p £ N [124]. 
If n has no more than 8 distinct prime factors, then K is a Giuga number if and only if 

Ep\K l - U P \K \ = since 


E 


i 

p 


n 


i i 
- < - 
P - 2 


1 

3 



1 

IT 


i i 
13 + 17 


1 

19 


< 2 . 


Each solution of Equation (4.33) n in which x\, X 2 , ■ ■ ■, x n are all primes corresponding 
to a Giuga number fl , <, i<n x t . Therefore, this corollary can be verified by all solutions 
of Equation (4.33) n for n < 8, which are listed in Appendices B and C. Giuga numbers 
with no more than eight distinct prime factors are: 

2x3x5, 

2 x 3 x 7 x 41, 

2 x 3 x 11 x 13, 

2 x 3 x 11 x 17 x 59, 

2x3x7x 43 x 3041 x 4447, 

2 x 3 x 11 x 23 x 31 x 47057, 

2 x 3 x 7 x 59 x 163 x 1381 x 775807, 

2 x 3 x 7 x 71 x 103 x 61559 x 29133437, 

2 x 3 x 7 x 71 x 103 x 67213 x 713863, 

2x3x7x 43 x 1831 x 138683 x 2861051 x 1456230512169437, 

2 x 3 x 11 x 23 x 31 x 47059 x 2259696349 x 110725121051, 

2 x 3 x 11 x 23 x 31 x 47137 x 28282147 x 3892535183. □ 
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Theorem 4.5.24. Equation (4.33)g has at least 1547 solutions. These solutions are 
available at http://tdt.sjtu. edu . cn/9minus . html 

Proof. The number of solutions found by each method are listed in Table 4.12. 


Table 4.12: Numbers of solutions of Equation (4.33)g found 


Numbers of solutions found 

Method 

122 

Method 1 

1342 

Method 2 

51 

Method 4 

32 

Direct finding 


□ 

Theorem 4.5.25. Equation (4.33)io has at least 18984 solutions. These solutions are 
available at http://tdt. s jtu. edu. cn/1 Ominus. html 

Proof. From the known 411 solutions of Equation (4.23)g, we can find 411 solutions 
of Equation (4.33)io by the Method 1 (Gap-one extension). The others are from the 
Method 2 (Gap-two extension). □ 


4.6 Notes 

In this chapter, we have introduced a new direction of modem cryptography— Batch 
Cryptography , which includes the batch encryption/decryption, batch key agreement, 
and batch signature/verification. We implemented batch RSA schemes based on the 
Diophantine Equations (Plus-Type Equations and Minus-Type Equations), and gave the 
methods to solve these Diophantine equations 2 . 

There are some interesting problems in batch cryptography which are still open. For 
instance, 

2 We have finished two manuscripts about efficiently implementing batch RSA and solving the Diophantine 
Equations (Plus-Type Equations and Minus-Type Equations) in 2008. The readers who are interested in this 
area can refer to [71,72]. 
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1. How to design aggregate signature and batch verification schemes without extra 
requirements, such that they are secure in the standard model? 

Researches in the batch cryptography are focusing on the aggregate 
signature and batch verification, which are secure in the random or¬ 
acle model. In order to make them secure in the standard model, it 
is usual to introduce extra requirements. However, it remains open to 
construct a practical aggregation scheme in the standard model with¬ 
out extra requirements such as timing, interactive restrictions, or re¬ 
quiring each user to be able to prove knowledge of his/her secret key. It 
is also open to explore other relaxations of the full aggregation model. 

2. How to design batch encryption schemes based on other assumptions such as 
quadratic residue, discrete logarithm, and pairing based assumptions? 

Almost all existing researches are focusing on the batch RSA. To avoid 
putting all eggs in one basket, it is better to design new feasible batch 
cryptographic algorithms based on quadratic residues or discrete log¬ 
arithm problem. Besides, there is no formal security proof for the 
batch RSA. This is still an open problem. 

3. How to design batch key exchange/agreement protocols? 

So far, the batch key exchange/agreement has attracted little attention. 

In the special case where there are many sends and only one receiver, 
each sender sends the ciphertext of a random number to the receiver 
under the receiver’s public key. Then, the receiver is able to batch de¬ 
crypt them and establish a secure channel with each sender. To design 
batch key exchange/agreement protocols becomes more complicated if 
the attackers exist and the property of entity authentication is required. 
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4. How to combine batch technique with other cryptographic algorithms? 

In this chapter, we only considered batch algorithms without com¬ 
bining them with other algorithms, such as proxy re-encryption/re¬ 
signature and attribute-based encryption/signature. It must be inter¬ 
esting to construct cryptographic algorithms using batch techniques 
to improve the efficiency as well as the security. 

5. How to find all the solutions of the Plus-Type Equations and Minus-Type Equa¬ 
tions with n = 9,10, which can be used as the public keys in batch RSA? Fur¬ 
thermore, how to find the solutions to these equations when the right side of these 
equations is 2, not 1 ? 

We have given the new implementation of batch RSA. It requires only 
one modular, N. This implementation is more suitable to construct 
hardware circuits for batch RSA decryption. This implementation is 
based on the Diophantine Equations Xa<j<jv yr ± TIi<i<jv T~ = 

2 < X\ < X 2 < ■ ■ ■ < Xn- All solutions to these equations for N < 8 
are known, but the complete solutions for N > 9 are unknown. 



Chapter 5 


Noncommutative Cryptography 

5.1 Introduction 

As a new direction in modem cryptography, noncommutative cryptography differs 
much from those discussed in previous chapters. In this chapter, we will discuss this 
subject through exploring the following questions. 

Question 1: What is noncommutative cryptography? 

An immediate reply: It is an abbreviation of the cryptography based on noncommu¬ 
tative algebraic structures, such as 

• noncommutative groups or semigroups, 

• noncommutative rings, 

• even arbitrary sets over which some noncommutative operations could be well- 
defined. 

Question 2: Why do we need noncommutative cryptography? 
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Before answering this question, let us pay attention to the following issues: 

• In 1994, Shor [257] proposed an efficient quantum algorithm for solving integer 
factoring problem (IFP 1 ) and the discrete logarithm problem (DLP). In 2003, 
Shor’s algorithm was also extended to solve the discrete logarithm problem over 
elliptic curves (ECDLP) [229], Shor’s algorithm can be regarded as a special 
case of Kitaev’s framework [172] for solving the so-called hidden subgroup (or 
subfield) problems (HSP). Now, we are aware of efficient quantum algorithms 
for HSP over arbitrary commutative groups. But there are evidences to suggest 
that HSP over noncommutative groups might be much harder: the progress in 
quantum algorithms for HSP over some noncommutative groups (e.g., symmetric 
groups) is very limited, even negative in some cases [234], 

• In 2002, Stinson et al. [207] observed that most unbroken public-key cryptosys¬ 
tems used today were based on commutative algebraic structures, such as 

- Zjv (where N is a large composite integer), 7L V (where p is a large prime), 
and F g (where q = p m is a power of some prime p and m is a positive 
integer), over which the well-known cryptosystems such as RS A encryption, 
ElGamal encryption, and Schnorr signature, are defined respectively; 

- E(F g ) (i.e., the elliptic curves over the finite filed F q ) over which the elliptic 
curve cryptosytems and the pairing-based cryptosystems are defined; 

- C k (i.e., the ideal class group over some algebraic (closed) field K) over 
which the (real or imaginary) quadratic field cryptosystems are defined. 

1 Shor’s factoring algorithm uses two quantum registers. By introducing a more quantum register, we show 
that the measured numbers in the second and third quantum registers, which are of the same pre-measurement 
state, should be equal if Shor’s complexity analysis is sound. This seems to contradict the Shor’s argument 
that there are r possible observed values for the second register. Someone argues that the three quantum 
registers are entangled. If so, it is a peculiar entanglement which has not yet been mentioned. In our opinion, 
Shor’s algorithm is not doubtless from a theoretical point of view. See Zhengjun Cao and Zhenfu Cao: On 
Shor’s factoring algorithm with three quantum registers (under review). 
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For clarity, we would like to refer to these cryptosystems as commutative cryp¬ 
tography. The theoretical foundations for the above cryptosystems are based on 
the intractability of problems closer to number theory than group theory [207]. 
(A less rigid illustration is given in Figure 5.1.) 



Figure 5.1: Cryptography, Number Theory, and Group Theory 

From the above facts, we see that the classical commutative cryptography might be 
vulnerable to quantum computing. Moreover, cryptographers Goldreich and Lee [179] 
advised that not to put all eggs in one basket. Therefore, it seems applicable to introduce 
noncommutativity into cryptography. 

Question 3: How about the state of arts of noncommutative cryptography? 

The beginning of using noncommutative groups in cryptography goes back to Mag- 
yarik and Wagner [279] who proposed an approach to design public-key cryptosystems 
based on the undecidable word problem over groups and semigroups. This work has not 
attracted much attention until recently: In 2006, Birget et al. [28] pointed out that Mag- 
yarik and Wagner’s scheme is actually not based on word problem, instead on premise 
problem, which is generally easier than the former. Now, when we look backward, it 
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seems that Magarik and Wagner’s pioneering idea comes a bit earlier. The glory of the 
public-key cryptography community in 1980s was dominated by RSA, ElGamal, ECC 
etc. However, there is no silver bullet in this world. In 1994, Shor’s efficient quantum 
algorithm for solving IFP and DLP emerged. Although practical quantum computer 
might be at least decades away, its potential powerful capability has already casted 
distrust in current cryptographic methods [179], Since then many attempts have been 
made for developing alternative public-key cryptosystems based on different platforms. 
Therefore, noncommutative cryptography takes advantage of a turn of events and gets 
on. 

In 1999, Anshel et al. [6] proposed an elegant algebraic key establishment proto¬ 
col. The foundation of their method lies in the difficulty of solving equations over 
algebraic structures, in particular Garside groups [6], In their pioneering paper, they 
also suggested that braid groups might be a good alternative. Shortly afterward, Ko et 
al. [175] published a fully fledged encryption scheme using braid groups. Since then 
the subject has met with a quick success (see Section 5.2). However, from 2001 to 
2003, repeated cryptanalytic successes also diminished the initial optimism on the sub¬ 
ject [93]. It seems that more researches are still needed to reach a definite conclusion 
on cryptographic potential of braid groups. Garber [117] made a comprehensive survey 
of braid-based cryptography in 2007. 

In 2001, Paeng et al. [224] proposed another new public-key cryptosystem built on 
finite non-abelian groups. Paeng’s method is based on the discrete logarithm problem 
in the inner automorphism group defined by the conjugate action. Paeng’s systems 
were later improved and referred to as the so-called MOR system. In 2002, Magliveras 
et al. [207] also developed new approaches to design public key cryptosystems using 
one-way functions and trapdoors in finite groups. Their method originated from group 
theory. They introduced two public-key cryptosystems, MST1 and MST2, based on the 
difficulty of computing certain factorizations in finite groups. Later, Vasco et al. [276] 
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demonstrated that the factorization concept used in MST1 and MST2 admits a uniform 
description of several cryptographic primitives. Also, it turned out that a generaliza¬ 
tion of MST2 can serve as a unified framework for several public-key cryptosystems, 
including the ElGamal system [107], the braid group based system [175] and the MOR 
system. 

In 2002, Grigoriev and Ponomarenko firstly constructed [131] homomorphic cryp¬ 
tosystems over non-abelian groups. Shortly afterward, based on the difficulty of the 
membership problem for groups of integer matrices, their method was extended to ar¬ 
bitrary finite groups [132,133]. 

In 2004, inspired by Anshel et al.’s idea in the algebraic key exchange, Eick and 
Kahrobaei [106] proposed a new cryptosystem over polycyclic groups 2 . Further, Ma- 
halanobis [208] in 2006 generalized the Diffie-Hellman key exchange protocol from a 
cyclic group to a finitely presented non-abelian nilpotent group of class 2. 

In 2005, Shpilrain and Ushakov [259] suggested that Thompson’s group might be a 
good platform for constructing public-key cryptosystems. In their contribution, the ba¬ 
sic assumption is the intractability of the decomposition problem, which is more general 
than the conjugator search problem. 

In 2006, Baumslag et al. [19] suggested potential cryptosystems using linear groups. 
In 2007, they [17] further suggested to use the classical modular group as a platform for 
cryptography. In fact, Yamamura [299] should be credit for introducing the extended 
modular group SX 2 (Z) into cryptography in 1998. But Yamamura’s scheme was shown 
to have loopholes [135], In [17] attacks based on these loopholes were closed [112], 

’in group theory, a normal series is a series of normal subgroups of a group G, 

G = H 1 > H 2 > ... > H n+ 1 = {1}. 

If each term of the series is normal not only in the whole group but also in the preceding term, then the 
series is called subnormal. A group G is called polycyclic if it has a subnormal series with cyclic factors, i.e., 
Hi/Hi -|_i is cyclic for i = 1,... ,n. A group G is called nilpotent if it has a normal series so that every 
quotient Hi/Hi+i lies in the centre of G/Hi+\ (a so-called central series). The length of a shortest central 
series of a nilpotent group is called its class (or degree of nilpotency). Finitely-generated nilpotent groups are 
polycyclic groups and, moreover, have a central series with cyclic factors. 
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Also in 2006, Dehornoy [94] proposed an authentication scheme based on the left 
self-distributive (LD) systems. This idea was further developed by introducing the con¬ 
cept of the one-way LD system [287], An algebraic system (A,*) is called left self- 
distributive if for all a,b,c £ A, 

a * (b * c) = (a * b) * (a * c ). (5.1) 

An LD system is said one-way if it is intractable to extract a for giving a * b and b. 
In general, an LD system is much different from (semi) groups. In fact, it is even not 
associative. However, one can easily define non-trivial LD systems over any noncom- 
mutative group G via the mapping 


a*b = aba 1 . (5.2) 

Moreover, if the conjugator search problem (CSP) over G is intractable, then the derived 
LD system is one-way. Therefore, cryptosytems over one-way LD systems admit many 
kinds of implementations. 

In 2006, we [73] proposed a method to use polynomials over noncommutative rings 
or (semi) groups to build cryptographic schemes. This method is now referred to as 
the Z-modular method (See Section 5.3). In 2008, Z-modular method was used to 
build signature schemes over noncommutative groups and division semirings 3 [231], 
respectively. Moreover, if we restrict the polynomials used in Z-modular method to be 
monomials, then the conjugacy related assumptions can be viewed as special cases of 
the assumptions defined in Z-modular method. 

In 2009, Vats [277] proposed a cryptosystem, named as NNRU, and claimed that it 
is a noncommutative analogue of the well-known NTRU cryptosystem [143]. NNRU 

3 A semiring is a natural noncommutative generalization of a ring in the sense that in both the binary 
operations + and • are not required to be commutative. 
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operates in the noncommutative ring M = Mfc(Z)[X]/ (X n — Ikxk ), where M is a 
matrix ring of k x k matrices of polynomials in R = Z[X\/(X n — 1). The main 
enhancement is that the lattice-based attack which is the biggest threat to NTRU fail for 
NNRU. 

In 2010, finite noncommutative groups of the four-dimension vectors over the 
ground field were constructed for implementing the cryptographic protocols [213], 

In 2011, inspired by the recent success of applying the problems of learning parity 
with noise (LPN) [30] and learning with errors (LWE) [232] to a variety of crypto¬ 
graphic constructions, Baumslag et al. [18] proposed the generalized learning problem 
over noncommutative groups. Their work opens a new avenue for developing cryptog¬ 
raphy based on combinatorial group theory. 

Of course, the above list is far from complete. Here, we just pick one or two typ¬ 
ical examples in each year to illustrate that the research on noncommutative cryptog¬ 
raphy during the first decade of the new century is considerably attractive. We would 
like to point out that almost all initial attempts mentioned above have been shown to 
be insecure, but the experiences from these early attempts have a great significance. 
Readers who want to pay more attention to various attacks against these attempts and 
their security can refer to the recently published book Group-based Cryptography (by 
Mayasnikov, Shpilrain, and Ushakov) [218]. 

The rest of this chapter is organized as follows: In Section 5.2, we give a brief intro¬ 
duction on the well-known braid-based cryptography, including related fundamentals, 
cryptographic assumptions and related constructions, as well as our own contributions; 
In Section 5.3, we describe the Z-modular method that is used to develop cryptographic 
schemes based on noncommutative rings or (semi) groups; In Section 5.4, by using 
monomials, instead of polynomials, we develop several cryptosystems based on in¬ 
tractability of the conjugator search problem and related assumptions; In Section 5.5, 
an improved key agreement protocol over Thompson’s group is presented; And finally. 
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further remarks are addressed in Section 5.6. 


5.2 Braid-Based Cryptography 

5.2.1 Basic Definitions 

For index n > 2, the braid group B n is defined by the generators a i, a 2l ..., <J„ 
and the relations <Ji< 7 j = OjCTi for \i — j\ > 1 and (T t ctj o\ = ajcriOj for \i — j\ = 1 
(1 < i, j < n — 1). This definition is called the Artinpresentation and the generators are 
called Artin’s generators. Intuitively, a geometrical illustration of the identity, denoted 
by e, of the braid group B 4 and the Artin generators (e.g., er^ 1 ) can be shown as Figure 
5.2. Geometrically, the product of two braids is the braid obtained by merging the tail 
of the first braid with the head of the second braid. For example. Figure 5.3 shows 
the braid cr^ct'iaicr ^ 1 ct ^ 1 at. From the definition, we know that there is a 

natural automorphism from B 2 to the integer additive group Z. For n > 3, the braid 
group B n is infinite and noncommutative. For each m(< «), the identity mapping on 
{ 0 1 ,..., cr m _i} naturally induces an embedding of B rn into B n . By this approach, it 
is easy to define the limit group B^. 


(a) e (b) ct 2 (c) cr 2 1 

Figure 5.2: Geometrical illustration on identity and Artin generators 

The relations used in the above definition shine the lights of topology on braids, that 
is, continuously moving the curves with their ends fixed does not change the value of 
a braid. But algebraically, having a normal form (i. e ., a unique presentation) for each 
braid is very useful, since it lets us compare two braids without resorting on topological 
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Figure 5.3: An example of geometric braids 


images. For braid groups, there are some known normal forms, one of which, the (left) 
canonical form, is commonly used in cryptography. With respect to the Artin presen¬ 
tation, the complexity of transforming a braid into its canonical form is 0 ([w\ 2 n logn) 
where u;| is the length of w, i.e., the number of the Artin generators in w [26], 

5.2.2 Conjugacy and Related Problems 

For arbitrary two braids x, y £ B n , we say that they are conjugate, written as x ~ 
y, if y = a~ l xa for some a £ B n . Here a or a -1 is called a conjugator. In the 
braid group B n , we can define the following cryptographic problems that are related to 
conjugacy [173,286]: 

• Conjugacy deciding problem fCDP): Determine whether x ~ y for a given in¬ 
stance (x, y) € B 2 . 

• Conjugator searching problem (CSP): Find a braid 2 £ B n so that y = z~ 1 xz for 
a given instance (.x , y) £ B 2 with x ~ y. 

• Matched conjugate searching problem (MCSP): Find a braid y' £ B n so that 
y ~ y' and xy ~ x'y' for a given instance (x, x', y) £ B% with x ~ x'. 

• Matched triple searching problem (MTSP): Find a triple (a, /3, 7 ) £ Bl so that 

a ~ x, (3 ~ y, a(3 ~ xy, 7 ~ y and «7 ~ x'y for a given instance (x, x', y) £ 
B% with x ~ x'. 
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• fc-simultaneous conjugator searching problem (fc-SCSP): Given k pairs (xi,a^), 
• • •, (xfe, x' k ) G B^ with x[ = s~ 1 XiS for some s G B n and 1 < i < k, find a 
braid x G B n so that x\ = z~ l XiZ for 1 < * < k. 

• Decomposition problem (DP): Given (x. y) G Bf : and S). S 2 C B n , find Z\ G -S) 

and z 2 G S 2 so that y = Z\xz 2 . 

• Root problem (RP): Given a positive integer m and a braid p G B n so that p is an 
?nth power in B n , find an mth root of p, i.e., find a braid r satisfying r'" = p. 

By employing the terminologies used in [173], we say that a problem is 

• solvable , if there is a deterministic finite algorithm that outputs an accurate solu¬ 
tion. 

• unsolvable , if it is not solvable. 

• tractable , if there is a probabilistic polynomial-time algorithm that outputs an 
accurate solution with non-negligible probability (with respect to the length of 
description of the input instances). 

• intractable , if it is not tractable. 

At present, we know that all the above problems are solvable. However, we do 
not know whether they are tractable in general cases. It seems that all of them are 
intractable in the worst cases. According to [173,286], we always take the following 
reduction relations into consideration: 

CDP A MCSP ~ MTSP A CSP , (5.3) 

where A, and ~ denote the relations of “easier than,” “not harder than,” and “as hard 
as,” respectively. 
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In [173], Ko et al. also described an efficient algorithm to solve CDP with over¬ 
whelming accuracy 4 . This algorithm is the common basis for all existing braid-based 
signatures because the verification algorithms need to determine whether two given 
braids are conjugate. 

Also, MCSP seems as hard as CSP according to the heuristic analysis in [173], In 
our opinion, this is why MCSP is used to design signature schemes in [173], 

At present, the relationship between fc-SCSP and CSP is unclear. Although we 
have not proven rigorously which of them is easier, some approximate methods and 
heuristic analysis suggest that the former seems easier than the latter [286]. Therefore, 
if a cryptographic scheme lays its security on the assumption of the intractability of 
fc-SCSP, we say that it is suffered from the weakness of /.'-simultaneous conjugacy. 

The relation between CSP and DP is also unclear at present. On one hand, a solution 
of CSP is also a solution for DP only if z 1 £ ,Sj and z € S hold simultaneously; On 
the other hand, a solution for DP becomes a solution for CSP only if Zi = zf 1 holds. 

According to [260], the only known algorithm for RP consists of explicitly enu¬ 
merating several conjugacy classes related with the initial braid p. This enumerating 
process is exponential in essence and therefore becomes infeasible when the lengths of 
the braids are large enough. In practice, RP appears as even more difficult than CSP. 
Note that the braid groups are torsion-free, i.e., if b is a nontrivial braid, then //" for 
every m > 2, is not trivial. 

Although some algorithms for solving CSP were proposed [108,113,118,125], none 
of them has been proven implementable with a polynomial-time complexity (with re¬ 
spect to the braid index n). Until now, Gebhardt’s algorithm [118], which was proposed 
in 2003 but formally published in 2005, is the most efficient method for solving CSP 
in braid groups. This algorithm has not yet been proven implementable within polyno¬ 
mial time. Subsequently, CSP in braid groups is classified for further study. According 

4 We say an algorithm has overwhelming accuracy if its outputs are accurate with the probabilities that are 
negligibly close to 1. 
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to Garber’s report [117], within polynomial time, we can only solve CSP in periodic 
braids. There exist two kinds of challenges in obtaining ultimate solutions for CSP in 
braid groups: one is how to solve CSP in rigid braids within polynomial time, and the 
other is how to find polynomial boundaries of the complexity of Gebhardt’s method. 

Considering that the assumption of intractability of CSP plays a central role in braid- 
based cryptography, Ko et al. [173] introduced the concept of CSP-hard pair. Let ,S'| 
and S 2 be two subgroups of B n . A pair (x, x') £ S\ x S 2 is said CSP-hard if x ~ x' 
and this CSP instance is intractable. It is more meaningful to define a special sampling 
algorithm, CSP-hard pair generator , rather than to define a particular CSP-hard pair. 
CSP-hard pair generator IC csp can be defined as follows: 

• fccspi n ) is a probabilistic polynomial-time algorithm that takes the security pa¬ 
rameter n as input, and outputs a triple (p, q, w) £ so that q = w~ 1 pw holds 
and the CSP instance (p, q) is intractable. 

For details regarding the methods to construct such a CSP-hard pair generator, please 
refer to [93], [173], [206] and [174]. In particular in [174], Ko et al. proposed several 
promising ways to generate hard instances of the conjugacy problems for braid cryp¬ 
tography. 

5.2.3 Key Exchange, Encryption and Authentication 

Now, let us have a quick review of the cryptographic protocols from braid groups. 
The first protocol was proposed theoretically by Anshel et al. in arbitrary Garside 
groups in 1999 [6], and implemented in braid groups in 2001 [5], This protocol as¬ 
sumed that the CSP problem is difficult enough. 

Suppose A = {Zi, • ■ - , Ik} be an alphabet. For a given word u on A, let 
u(pi ,... ,pk) denote the substitution of each in u by p; (for all 1 < i < k). Suppose 
that Alice’s secret key is a word u on an alphabet of size k, while Bob’s secret key is a 
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word v on a different alphabet of size to. The key exchange protocol works as follows: 
Protocol 5.2.1. Anshel et al.’s Key Exchange: 

• Public settings: p x ,... ,p k and q lt ..., q m in B n . 

Private keys: Alice: u; Bob: v. 

• Exchange: Alice computes s = ... ,p k ), and sends Bob the conjugates 

q[ = sqis -1 ,..., q' rn = sg m s _1 ; meanwhile. Bob computes r = v(qi ,..., q m ), 
and sends Alice the conjugates p[ = rpi?’ -1 ,... ,p' k = rpur^ 1 . 

• Key deriving: Alice computes K 4 = H(su{p' 1 ,... ,p^.) _1 ), and Bob computes 

Kg = H(v(q ' 1 ,..., where H is the colored Burau representation de¬ 

fined by Morton [215], (Essentially, IT is a key deriving function and can be 
instantiated by proper hashes.) 

After the execution of this protocol, both Alice and Bob share the same key K 4 = 
Kb, since the following equalities hold: 

su(pi,...,p' fc ) _1 = sru(pi,... ,pfc) -1 r -1 

= srs _1 r _1 
= sv(qi,...,q m )s~ 1 r ~ 1 

= v(q [,..., Or" 1 • 

The security of this protocol is based on the difficulty of a variant of CSP in B n , 
namely k -SCSP (see the above subsection). In [5], it is suggested to work in B $0 with 
k = to = 20 and short initial braids pi, qj with length 5 or 10. 

The second protocol is proposed by Ko et al. [175], Let LB n (resp. UB n ), a 
subgroup of B n , be generated by <ri,..., tr m _i (resp. a m +\,..., cr„_i) with to = |_f J • 
Then, every braid in LB n commutes with every braid in UB. n . 
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Protocol 5.2.2. Ko et al.’s Key Exchange: 

• Public settings: a braid p in B n . 

Private keys: Alice: s £ LB n ; Bob: r £ UB n . 

• Exchange: Alice sends Bob p' = sps -1 ; meanwhile. Bob sends Alice p" = 
rpr . 

• Key deriving: Alice computes Ka = sp''s -1 \ Bob computes K n = rp'r~ 1 . 

After the execution of this protocol, both Alice and Bob share the same key Ka = 
Kb = srpr~ 1 s~ 1 , since s and r commute. The security of this protocol is based on 
the difficulty of the so-called Diffie-Hellman like conjugacy problem (DHCP). DHCP 
is to find the braid rp'r -1 , or equivalently, sp"s~ l for given braids p,p',p" £ B n , 
where p' = sps -1 and p" = rpr -1 for some s £ LB n and r £ UB n . The suggested 
parameters are n = 80, and the working braids are specified by normal sequences of 
length 12. 

Furthermore, in the same paper [175], Ko et al. gave a fully fledged public-key en¬ 
cryption scheme based on the above Diffie-Hellman like key exchange protocol. Sup¬ 
pose a hash function h, which maps a braid into a bit-string with proper length, is at 
hand, and Alice’s public key is the pair (p. p r ) £ B ^ withp' = sps -1 , where s £ LB n 
is Alice’s private key. For sending a message m to Alice, Bob chooses a random braid 
r £ UB n and sends the ciphertext c = m ® h^rp'r -1 ), together with the additional 
datum p" = rpr -1 . Now, Alice computes the plaintext m = c ® h(sp" s -1 ). Ap¬ 
parently, this scheme is consistent and its security is also based on the difficulty of the 
DHCP problem. (Unfortunately, a deterministic polynomial time algorithm for solving 
the DHCP problem over braid groups was found by Cha et al. [82] in 2003. Thus, Ko 
et al.’s key exchange protocol, as well as the derived encryption scheme, is no longer 
secure.) 


In 2006, Sibert et al. [260] designed three authentication schemes by using braid 
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word reduction. The first scheme is based on DHCP, the second is based on CSP, and 
the third is based on CSP and RP. Considering that the first becomes insecure 5 according 
to the aforementioned Cha et al.’s polynomial-time algorithm, we merely introduce the 
second and the third herein. 

Protocol 5.2.3. Sibert et al.’s Authentication Scheme II: 

• Key generation: 

- A(lice) chooses a public braid b £ B. n , so that the CSP problem for b is 
hard; 

- A chooses a secret braid s £ B. n as her private key; she computes b' = 
sbs- 1 and publishes the pair (&, b') as her public key. 

• Authentication: Repeat the following exchanges k times, where k is a polynomial 
function of the size of the braid specified: 

- A chooses a random braid r, and sends x = rbr~ x to B(ob); 

- B sends a random bit e to A; 

- For e = 0, A sends y = r to B, and B checks x = yby _1 ; 

- For e = 1, A sends y = rs _1 to B, and B checks x = yb'y _1 . 

Protocol 5.2.4. Sibert et al.’s Authentication Scheme III: 

• Key generation: 

- A(lice) chooses a secret braid s £ B n and computes b = s 2 , so that both 
the CSP problem for s and b, and the RP problem for b are difficult; public 
key is b and private key is s. 

• Authentication: Repeat the following exchanges k times: 

5 In fact, Sibert et al.’s work was originally proposed in 2002 — before Cha et al.’s work published in 2003. 
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- A chooses a random braid r, and sends x = rbr -1 to B(ob); 

- B sends a random bit e to A; 

- For e = 0, A sends y = r to B, and B checks x = yby _1 ; 

- For e = 1, A sends y = rsr~ l to B, and B checks x = y 2 . 

Sibert et al. proved that when the probability distribution of r picked by Alice at 
the authentication step is right-invariant, the above authentication schemes are zero- 
knowledge interactive proof of knowledge of s, under the corresponding intractability 
assumptions. 

5.2.4 Braid-Based Signatures 

In their pioneering paper on braid-based cryptography [175], Ko et al. pointed out 
that there are several challenges in finding a new digital signature scheme by using hard 
problems in braid groups. Two years later, Ko’s team [173] reported two of the earliest 
braid-based signature schemes: The first scheme, denoted by SCSS, is based on the 
MCSP problem, and the second one, denoted by TCSS, is based on the MTSP problem. 
However, Ko et al. have not presented security proof on SCSS. As for TCSS, it is merely 
proved to be, in the random oracle model, secure against no-message attacks. The 
situation of lacking security proof for braid-based signature lasts about several years. In 
2007, we [284], enlightened by the idea of “One-More-RSA-Inversion Problems” [22], 
defined the so-called one-more matching conjugate problem (OM-MCP) and proved 
that in the random oracle models both SCSS and TCSS are existentially unforgeable 
against adaptively chosen message attacks (EUF-CMA) assuming that the OM-MCP is 
intractable (See the next subsection). 

Protocol 5.2.5. Simple Conjugate Signature Scheme (SCSS): 

• System parameters: A noncommutative group G where CSP is intractable but 
CDP is tractable; A hash function h that maps a message m into an element in G. 
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• Key generation: A public key is a CSP-hard pair (x, x') £ G 2 , and a secret key 
is a £ G so that x' = a~ 1 xa. 

• Signing: Given a message m, a signature s is given by s = a~ 1 ya so that y = 
h(m). 

• Verifying: A signature s is valid if and only if s ~ y and x's ~ xy. 

Protocol 5.2.6. Triple Conjugate Signature Scheme (TCSS): 

• System parameters: A noncommutative group G where CSP is intractable but 
CDP is tractable; A hash function h that maps a message m into an element in G. 

• Key generation: A public key is a CSP-hard pair (x, x') £ G 2 , and a secret key 
is a £ G so that x' = a~ 1 xa. 

• Signing: Given a message m, choose b £ G at random and let a = If 1 xh 
and y = h(m\\a), then a signature s is given by a triple s = (a,/3, 7 ) where 
/? = b~ 1 yb and 7 = b~ 1 aya~ 1 b. 

• Verifying: A signature s = (a, /3, 7) is valid if and only if a ~ x, /3 ~ 7 ~ y, 
a/3 ~ xy and 07 ~ x'y. 

5.2.5 One-More Like Assumptions and Provable Security 

Suppose that A is the security parameter. A one-more matching conjugate problem 
attacker (om-mcp attacker for short) is a probabilistic polynomial-time algorithm A that 
gets input p, q and has access to two oracles: the matching conjugate oracle O mc (-) and 
the challenge oracle O c h{ )• We say that the attacker A wins the game if it succeeds in 
matching conjugate with all n(N) braids output by the challenge oracle, but submits at 
most m(N) queries to the matching conjugate oracle, where m, n : N —► N are two 
polynomial functions defined over N so that m(N) < n(N) holds. More formally, A 
is invoked in the following experiment. 
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Experiment Exp° m r ^ cp (N) 

( P,Q,w) <— K csp (N);n <— 0;m <- 0 
(ri,-' - An') A°™’ 0 ‘ h (p,q : N) 

If n' = n and m < n and V i = 1, • • • , n : (ri ~ c*) A (gr* ~ pci) 

Then return 1 else return 0 

where the oracles are defined as 

Oracle O mc (b) 
m m + 1 
Return wbw _1 

The om-mcp advantage of ^4, denoted by Adv°" !_ ^ cp (iV), is the probability that the 
above experiment returns 1, taking over the coins of K csp , the coins of A, and the coins 
used by the challenge oracle across its invocations. The one-more matching conjugate 
assumption says that the one-more matching conjugate problem associated with K csp 
is hard, i.e., the function Adv° m ~^ cp (./V) is negligible with respect to the security 
parameter N for all probabilistic polynomial-time adversaries A. 

Now, let us consider the modes for sampling each c,. If the adversary A can find 
some k £ Z and j £ { 1, • • • , m(N) + 1} so that 

Cj=p k . (5.4) 

Then, A can set rj = q k . That is, the adversary can compute rj correctly without 
querying the oracle O mc and can win the game. Similarly, if the adversary A can find 
some j £ {1, • • • ,m(N ) + 1} and a*, i = 1,- • • + ,m(N) + 1, so that 

ra(AT)+l 

<h= n ^ 


Oracle O ch () 

$ 

n 4— n + 1; c n <— Bn 

Return c n 
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then 

m(iV) + l 

rj= n (5.6) 

*=M^j 

Thus, the adversary can query c*, i = 1, ■ ■ ■ , j — 1, j + 1, • • •, m(N) + 1, one by one 
and then obtain the corresponding r. Now, he can also compute r :) correctly without 
querying the oracle again. But he can still win the game. 

However, if each c, is sampled randomly from Bn, the probability that the adversary 
can find k. j and on, i = 1, • • •, j — 1, j +1, • • • , m(N) +1, so that the equality (5.4) or 
the equality (5.5) holds is negligible with respect to the system parameter N. If A tries 
to deduce the equation (5.5) from right to left, he has to try and try, with little advantage 
over guessing at random. If he tries to deduce the equation (5.5) from left to right, he 
has to solve a root problem, which is intractable according to [93], for each a,(> 0). 
If the adversary A tries to find k and j so that the equality (5.4) holds, he has to test 
each p k , k £ Z, by checking whether p k = cj holds. However, since (p) is an infinite 
subgroup of Bn, the probability that the adversary can find such a pair (k,j) is also 
negligible with respect to N. 

If the adversary is permitted to choose these Cj, he can select c, so that the equality 
(5.4) or the equality (5.5) holds and this situation cannot be detected easily. Therefore, 
in our proposal the users, including the adversaries, are not allowed to choose these c, 
by themselves. The users are allowed to perform queries on adaptively chosen mes¬ 
sages and we employ a one-way hash function by which each message is mapped to a 
braid randomly sampled from Bn- The one-wayness of the hash function excludes the 
possibility for choosing Cj at the users’ will. 

Theorem 5.2.7. In the random oracle model, the braid-based digital signature scheme 
SCSS is existentially unforgeable against adaptively chosen-message attack assuming 
that the one-more matching conjugate problem (OM-MCP) is intractable. More specif¬ 
ically, suppose that there is a forger T that can ( t,qh,q s A)~break SCSS, then there 
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exists an om-mcp attacker A that can win the one-more matching conjugate experiment 
with the probability at least e' within the time t!, where 

e' = e, (5.7) 

t’ = t + t s ■ q s + t h ■ q h + t mc ■ ( n(N) - q s ), (5.8) 

where n : N —> N is a polynomial function defined over N, while t s , th, and t mc are time 
for answering a signing oracle query, a hash oracle query and a matching conjugate 
oracle query, respectively. 

Proof. That the forger T can (t,qh,q s , e)-break SCSS means that T can output a forged 
signature ( m*,r *) successfully with probability at least e after he has made qh hash 
queries and q s signing queries, and then obtained the corresponding signatures o, = 
(m*, rf),i = 1, • • • , q s ■ The successful forgery (m*,r*) means that r* ~ H(m*) and 
qr* ~ pH{m* ) hold while T has never made signing query on the message to*. Now, 
let us construct another algorithm A so that A can win the experiment Exp 
with the probability at least e 1 = e. 

Without loss of generality, we assume that qh and q s are bounded by n(N). The 
challenge the adversary A faced is, for given c*, i = 1, • • • , n(N) + 1, to output r,, i = 
1, • • • , n(N) + 1, so that r, ~ c,; and qri ~ pci hold, with the access to the matching 
conjugate oracle O mc at most n(N) times. 

The algorithm A is constructed as follows: 

• Initialize. We define a hash list H-List as follows: H-List includes three fields 
m-field , r-field , and c-field. At the beginning, let H-List contain n(N) + 1 items. 
For each item, the TO-field and r-field are set to empty while the c-field is set to 
Ci accordingly. Then, set i = 0. 


• Let A play the following interactive game with the forger T. 
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(1) Answering T’s hash queries and signing queries as follows: 

- Hash query on m: Locate m in m-field of H-List. If found, i.e., H(m) 
has been asked before, return the corresponding c-field as the reply; 
otherwise, set i = i + 1 and then fill m into the m-field of the ith item 
of the H-List, and then return the corresponding c-field as the reply. 

- Signing query on m: Assume that F has asked II (m) before (Other¬ 
wise, the algorithm A can make such a query on behalf of the forger 
F). Then, there exists some * € {1, • • • , n(N) +1} so that Cj = H(m) 
holds. Now, let the algorithm A make a query on c, toward the match¬ 
ing conjugate oracle O rnr and obtain the response r t . Finally, let the 
algorithm A fill r\ into the r-field of the /th item of the H-List and 
forward r, as the signing reply to the forger F. 

Clearly, the algorithm A provides perfect simulations on hash queries and 
signing queries for F. 

(2) Suppose that after q s times signing queries, the forger F outputs a forged 
signature r* on message m*. Without loss of generality, suppose that F has 
made a hash query on m* (if not, let A execute the query on behalf of F). 
Then, there exists some j £ {1, • • < , n(N ) + 1} so that Cj = H(m*). Now, 
we set rj = r*. 

(3) If V (m*, r *, pk ) = 0, then let A abort. Otherwise, let A continue. 

(4) Locate the pair (m*,r*) in (m, r)-fields of H-List. If found, i.e., F has 
made signing query on m* before, then let A abort; otherwise, let A fill 
r j = r* into the r-field of the yth item of H-List and continue. 

• For each c*, i = 1, • • • , j — 1, j + 1, • • • , n(N) + 1, if the r-field of the ith item of 
H-List is empty, let the algorithm A invoke matching conjugate query O mc and 
fill the corresponding response r, into the r-field of the /th item of H-List. 
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• Finally, let the algorithm A read each a, i = 1, • • •, n(N) + 1, from the r-field of 
H-List and output it as the ith response for the challenge a- Apparently, each r t 
satisfies ( n ~ a) and ( qr-i ~ pa) while A has never made queries on c :j toward 
the matching conjugate oracle O mc . That is, the algorithm A needs to query the 
matching conjugate oracle O mc exactly n(N) times, which is strictly less than 
the times that A succeeds in matching conjugates with all n(N) +1 braids output 
by the challenge oracle. Therefore, A wins the experiment Exp° m- ^ cp (./V). 

The above reduction shows that as soon as the forger T outputs a successful forgery 
(i.e., the algorithm A has not aborted before the end of its running), the algorithm A 
wins the experiment Exp° m ~^ cp (iV) with probability 1. That is, the probability for A 
to win the experiment is just the probability for T to output a successful forgery, so 
e' = e. According to the construction of A, the total running time of A is T's running 
time plus the time for answering T's signing and hash queries and the time for A to 
make the remained matching conjugate queries. Thus, we have t' — t + t s ■ q s + th ■ 
Qh +1 me (n(N) — q s ). □ 

Similarly, a provable EUF-CMA security reduction for TCSS can also be con¬ 
structed by using a one-more like assumption and a random oracle model. 

5.2.6 New Cryptographic Problems in Braid Groups 

Finding new hard problems, as well as the variants, is always an interesting practice 
for fpublic-key) cryptography. In 2006, Dehornoy [94] suggested a new braid-based 
authentication scheme based on the shifted conjugate search problem. Let x, y € B^. 
The shifted conjugate operation is defined by 

x * y = x ■ dy ■ <ti • da; -1 , (5.9) 
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where da’ is the shift of x in B 0 c . That is, the operator d can be viewed as an injective 
function on which sends the generator er,; to the generator cr, + i for each i > 1. 

Problem 5.2.8 (Shifted Conjugate Search Problem, Shifted-CSP). Let s,p £ and 
p' = s * p. Find a braid s satisfying p' = s * p. 

One cannot use the summit sets theory to attack Shifted-CSP, but one can apply the 
length-based attack [117] to try to solve Shifted-CSP. So it is interesting to study the 
following issues. 

(1) How to evaluate the length-based attacks on Shifted-CSP? 

(2) How to develop a theory for Shifted-CSP that will be parallel to the summit sets 
theory for CSP? 

(3) How to design new cryptosystems based on shifted-CSP that will be secure 
against all currently known attacks? 

A different type of problem consists in finding the shortest words representing a 
given braid. We consider this problem in B 0 0 which is the group generated by an 
infinite sequences of generators {cr 1; 02 ,... } subject to the usual braid relations. 

Problem 5.2.9 (Shortest Word Problem, SWP). Given a word w that is represented by 
a sequence of a ^ 1 (i = 1,2, • • •), find the shortest word w' so that w' = w. 

Paterson and Razborov [226] proved that the SWP problem is co-NP-complete. This 
suggests us designing new cryptographic schemes in which the secret key is a short 
braid word, and the public key is another longer equivalent braid word. It must be 
noted that the co-NP-hardness of SWP holds in B 0 0 only, but it is not known in B n 
for fixed n. Polynomial-time algorithms for the SWP problem (with Artin presentation 
or Band presentation) in B n for small fixed n were already reported [24,25,167,297]. 
Also, an unpublished work indicates that a heuristic algorithm based on a random walk 
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on the Cayley graph of the braid group might give good results in solving the SWP 
problem [117]. Thus, the following problems are interesting. 

(4) How to design a cryptosystem based on the SWP in B ac by using the results from 
Paterson and Razborov? 

(5) How hard is the SWP problem in B n for a fixed and moderate scale n, say n > 
50? 

In short, to resist these attacks toward those schemes, one can try to change the 
distribution of the generators [112]. In this aspect, Maffre [206] proposed a new random 
algorithm for generating keys which are secure against the length-based attack from 
Hofheinz and Steinwandt [144]. 

5.3 Z-Modular Method 

In 2006, we [73] proposed a method for building public key cryptosystems by us¬ 
ing noncommutative rings. Given a noncommutative ring R, our proposal can work 
over a derived Z-modular structure Z[r], or a similar Z-modular structure Z + [r] (where 
r £ R is undetermined), provided that the corresponding derived cryptographic as¬ 
sumptions are reasonable. Moreover, the Z-modular method is extended to noncommu¬ 
tative groups and noncommutative semigroups. The method developed in our schemes 
is called Z-modular method. 

Afterwards, we use Z + (resp. Z _ ) to denote the set of all positive (resp. negative) 
integers. 

5.3.1 Z-Modular Method over Noncommutative Rings 

In this subsection, we give a very simple review on basic concepts about Z-modular 
over noncommutative rings. Readers who know these concepts can go to the next sub- 
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section directly. 

Suppose that R is a ring with ( li. +,0) and (R, •, 1) as its additive abelian group 
and multiple non-abelian semigroup, respectively. Let us consider integral coefficient 
polynomials with ring assignment. The notion of scalar multiplication over R is already 
well-defined. For k £ Z + and r £ R, 

( k)r = r H -+ r . (5.10) 

k times 

When k £ Z' , we define 

(k)r = (—k)(—r) = (—r) H-+ (—r). (5.11) 

— k times 

For k = 0, it is natural to define (fc)r = 0. 

Proposition 5.3.1. ( a)r m ■ ( b)r n = ( ab)r m+n = (b)r n ■ (a)r m ,\/a,b,m,n £ Z and 
Vr € R. 

Proof. According to the definition of scalar multiplication, the distributivity of mul¬ 
tiplication with respect to addition, and commutativity of addition, this statement is 
concluded immediately. □ 

Remark 5.3.2. In general, (a)r • ( b)s ( b)s ■ ( a)r when r s, since multiplication in 
R is noncommutative. 

Recall a polynomial with positive integral coefficient /( x) = ao + a±x + • • • + 
a n x n £ Z+[x]. If we assign the undetermined element x as an element r £ R. then we 
obtain a well-defined element in R as shown below: 

n 

f(r) = ^(a,;)r* = (a 0 )l + (ai)r H-f ( a n )r n . 

i =0 


(5.12) 
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Further, let r be undetermined, then f(r) is univariable polynomial over R. The set of 
all (positive integral coefficient) univariable polynomials over R is denoted by Z ’ [r]. 


Suppose that f(r) 
then 


n 


Y.{ a i) rl £ Z+[r], h(r) 

i =0 


J2 (bj)ri G Z + [r] and n > m, 

3=0 


m \ / n \ 

+ bi)r l I + I ^2 j , (5.13) 

, 2=0 J \i=m+l / 

and according to Property 5.3.1 as well as the distributivity, we have 

( n \ / m \ n+m 

= (5 - 14) 

*=0 / \j =0 J i =0 

i 

where p, : = ^ a jbi-j = a jbk- And then, we have the following theorem. 

3=0 j+k—i 

Theorem 5.3.3. f(r) ■ h{r) = h{r) ■ /(r),V/(r),/i(r) G Z + [r]. 

5.3.2 New Problems over Noncommutative Rings 

We would like to introduce the following cryptographic problems over a noncom¬ 
mutative group G : 

• Symmetrical Decomposition Problem (SDP): Given (x, y) G GxG and m, n G 
Z, find z G G so that y = z m xz n . 

• Generalized Symmetrical Decomposition Problem (GSDP): Given (x, y) G 

G x G, S C G and m, bG Z, find z G S' so that t/ = z m xz n . 

Clearly, GSDP can be viewed as a constrained variation of SDP. In general, if the 
size of S is large enough and its membership information does not help one to extract z 
from z m xz n , we believe that GSDP is at least as hard as SDP. 




\i—0 


k3=0 
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In the above definition of GSDP, if the parameters m and n are fixed, we define a 
new function e mj „ by 


e m ,n : G x 5, (x, z) >->■ z m xz n . (5.15) 

Further, if we denote z m xz n as a new form x z , then the above function can be viewed as 
a newly introduced exponential operation on G with respect to its subset S 6 . Similarly, 
if y = z m xz n , then z can be viewed as the discrete logarithm of y with respect to the 
base x, i.e., 2 can be denoted by log^, y. 

Now, we can regard GSDP as the discrete logarithm (DL) problem over G. Based on 
this observation, we introduce a new generalized comutational Diffie-Hellman (GCDH) 
problem over G: 

• Generalized Computational Diffie-Hellman Problem (GCDH): Compute 

x ZlZ2 (or x Z2Zl ) given x, x Zl , x Z2 £ G. where G is a noncommutative group 
and z\ , 2 2 € S C G. 

Note that if z\ lies in the center of 22 , i.e., Z\ commutes 22 , x ZlZ2 = x Z2Zl holds. It is 
clear that if GSDP, i.e., DL problem over G is tractable, so is GCDH problem over G. 
But the converse is not true. At present, there is no clue to solve this kind of GCDH 
problem without extracting 21 (or 22 ) from x and x Zl (or x Z2 ). 

The GCDH assumption over G says that GCDH problem over G is intractable, i.e., 
there is no probabilistic polynomial time algorithm which can solve GCDH problem 
over G with non-negligible advantage with respect to the parameters of the problem 
scale. 

Likewise, we arrive at the concept of the GSD (also DL) and GCDH assumptions 
over a noncommutative semigroup G and m, n £ Z . 

6 In sequel we omit the clause of "with respect to its subset S” for visual comfort, unless the set S is 
explicitly specified. 
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Now, suppose that (R, +, •) is a noncommutative ring. For any a £ R, we define a 
set P a C R by 

Pa = {/(«): fir) £ Z+[r]}. 

Then, let us consider the new versions of GSD and GCDH problems over (R, •) with 
respect to its subset P a , and name them as polynomial symmetric decomposition (PSD) 
problem and polynomial Diffie-Hellman (PDG) problem respectively: 

• Polynomial Symmetrical Decomposition (PSD) Problem: Given (a, x, y) £ 

R? and to, n G Z, find z £ P a so that y = z m xz n , where R is a noncommutative 
ring. 

• Polynomial Diffie-Hellman (PDH) Problem: Compute x Zlz - (or x Z2Zl ) for 

given a, x, x Zl , and x Z2 , where a,x £ R. Z\ , z-i £ P a , and R is a noncom¬ 
mutative ring. 

Accordingly, the PSD (PDH, respectively) cryptographic assumption says that PSD 
(PDH, respectively) problem over the ring (f?, •) is intractable, i.e., there does not ex¬ 
ist probabilistic polynomial time algorithm which can solve PSD (PDH, respectively) 
problem over (R, •) with non-negligible advantage with respect to the parameters of the 
problem scale. 

5.3.3 Diffie-Hellman-Like Key Agreement Protocol 

Now, let us consider Diffie-Hellman-like key agreement protocol over a noncom¬ 
mutative ring R. 

Protocol 5.3.4. Diffie-Hellman-Like Key Agreement Protocol over Noncommutative 
Ring: 

(0) Alice sends two random small, positive integers (say, less than 10) m,n £ Z + 
and two random elements a,b £ R to Bob. 
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(1) Alice chooses a random polynomial /( x) £ Z + [x] so that /(a) ^ 0 and then 
takes /(a) as her private key. 

(2) Bob chooses a random polynomial h(x) £ Z + [x] so that h(a ) ^ 0 and then takes 
h(a ) as his private key. 

(3) Alice computes ta = f(a) m • b ■ f(a) n and sends ta to Bob. 

(4) Bob computes rs = h(a) m ■ b ■ h(a) n and sends re to Alice. 

(5) Alice computes Ka = f{o) m ■ rs ■ f(a) n as the shared session key. 

(6) Bob computes Kb = h{a) m ■ ta • h(a) n as the shared session key. 

In practice, the steps (0), (1), and (3) can be finished simultaneously and require 
only one pass communication from Alice to Bob. After that, the steps (2) and (4) can 
be finished in one pass communication from Bob to Alice. Finally, Alice and Bob can 
execute the steps (5) and (6), respectively. See Figure 5.4 for more details. 


Pass 

Alice 

Bob 


in, n Z+ 



a,b^-R 



f(x) Z+[s] 


1 

m,n,a,b,f(a) rn bf(a) n 


h(x) Z + [x] 

2 

£ 

h(a) 171 bh(a) n 


K a = f(a) m h(a) m bh{a) n f{a) n = 

K b = h{a) m f(a) m bf{a) n h(a) n 


Figure 5.4: Diffie-Hellman-Like Key Agreement over Noncommutative Rings 

Clearly, the above key agreement protocol can resist passive adversary under the 
PDH assumption over the noncommutative monoid ( R, •). It is similar to the standard 
Diffie-Hellman protocol that the protocol depicted in Figure 5.4 cannot resist the man- 
in-the-middle (MIM) attack. But it is easy to improve it so that the improvement can 
resist the MIM attack. This is left for interested readers. 
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5.3.4 ElGamal-Like Encryption Scheme 

By the above key agreement protocol, we have the following ElGamal-like encryp¬ 
tion scheme. 

Protocol 5.3.5. ElGamal-Like Encryption (Basic) Scheme over Noncommutative Ring: 

• Setup: Suppose that SDP is intractable on the monoid (R,-), where (/?.+,■) 
is a noncommutative ring. Pick two small positive integers m,n £ Z + . Let 
H : f? —» At be a cryptographic hash function which maps R to the message 
space At. Set the public parameters of the system as the tuple (R, to, n, At, 77). 

• Key generation: Each user chooses two random elements p,q £ R and a random 
polynomial /( x) £ Z + [x] so that f{p) ^ 0 and then takes f(p) as his private key, 
computes y = f(p) m • q ■ f{p) n and publishes his public key ( p , q, y) £ R 3 . 

• Encryption: Given a message M £ At and the receiver’s key (p. q, y) £ 77 3 , 
the sender chooses a random polynomial h(x) £ Z + [x] so that h(p) ^ 0 and 
computes 


c = h{p) m ■ q ■ h(p) n , d = H{h{p) m • y ■ h(p) n ) © M. 

Output the ciphertext (c, d) £ R x At. 

• Decryption: Upon receiving a ciphertext (c, d) £ R x At, the receiver, by using 
his private key f(p), computes the plaintext 

M = H(f(p) m ■ c ■ f(p) n ) © d 

Now, we prove that the above basic encryption scheme is “all-or-nothing” secure. 


The proof is very similar to that of Theorem 8.3 [209], 
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Theorem 5.3.6. For a plaintext message uniformly distributed in the plaintext message 
space, the above encryption is “all-or-nothing” secure against CPA under the PDH 
assumption over the noncommutative ring ( R , +, •) provided that H is a random oracle. 


Proof. On one hand, if PDH problem is tractable for any given ciphertext pair (c, d) 
and the corresponding public key ( p , q, y), it is easy to extract k = c )( log « y> from 
the triple ( q , c, y) and then compute the plaintext M = d(B H(k). 

On the other hand, suppose that there exists an efficient adversary A, with access 
to the random oracle H, who is able to break the above cryptosystem, i.e., given any 
public key ( p , q,y = f(p) m qf(p) n ) and ciphertext (c, d), A outputs 

M <- A H (p,q,y,c, d) 

with a non-negligible advantage e so that M satisfies 

M = d © H{y l ° s * c ) = d © y)(Iog « c) ), 


i.e.. 


M = d © H(h m yh n ) and c = h m qh n 


for some h, £ P p . Then, for an arbitrary PDH instance (a, x, x Zl , x z2 ), we set (a, x, x Zl ) 
as public key and (x Z2 ,d) as ciphertext pair for a random d £ AT Then, with the 
advantage e, A outputs 

M £- A H (a,x,x Zl ,x Z2 ,d) 


so that 


M = d © H(x ZlZ2 ), i.e., M = d © H^z^xz^z^) 
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for some Z 2 € P a ■ Recall that Z\ € P a . thus Z 2 Z 1 = 2122 by Theorem 5.3.3. Then, 

M = d © H(z?z?xz?z2) = d © H{x ZlZ2 ) = d © H(x Z2Zl ). 

Clearly, if the adversary ,4’s advantage e is non-negligible, then A must make corre¬ 
sponding //-query on x ZlZ2 . Otherwise, without knowing the hash value H(x ZlZ2 ), 
A’s advantage for computing correct M should be negligible, since H is modeled as a 
cryptographic hash. 

With the random oracle assumption on H, we can setup a fT-list which contains 
two fields ( Ti,hi ) and is initialized with empty. Whenever the adversary A makes a 
if-query with input r, we examine whether there exists the pair (r, h) in if-list. If so, 
return h as the answer to A\ otherwise, randomly pick h £ AT put the pair (r, h) into 
//-list and return h as the answer to A. Clearly, the simulation on H is perfect. Finally, 
when A outputs M, we can retrieve the correct item x ZlZ2 = r,; by checking the equality 
M = d © hi. Thus, we can solve PDH problem with the non-negligible probability e. 
This contradicts the PDH assumption. □ 

The above theorem shows that the basic scheme is of the weakest security, i.e., the 
OW-CPA security. Although we can use a technique proposed by Fjisaki and Okamoto 
(at CRYPTO’99) [116] to convert the above basic scheme into a chosen ciphertext se¬ 
cure system in the random oracle, we would like to adopt another technique also pro¬ 
posed by Fjisaki and Okamoto (at PKC’99) [115] because the latter is more compact. 

First, we need to prove that the above basic scheme is of IND-CPA security. 

Theorem 5.3.7. Let H be a random oracle from R to AT Let A be an IND-CPA 
adversary that has advantage e against the above basic scheme within t steps. Suppose 
A makes a total of qn > 0 queries to H. Then there is an algorithm B that solves PDH 
problem over the noncommutative ring R with advantage at least e' within t' steps, 
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where 

e' = —, and t' = 0(t). 

Qh 

Proof. The algorithm B takes as input a 4-tuple (a, x, 2/i, 3 / 2 ) with yt = x Zi = z™xz " 
for unknown Zi £ P a , i = 1,2, i.e., a PDH instance. Let y = a; 2122 denote the solution 
to the PDH instance. 

• Setup. B sets the system parameters as (R, m, n, A4, H) and (a,x,yi) as a 
public key. 

• H-queries. B sets up a H- list which contains two fields ( r 3 , hj ) and is initialized 
with empty. Whenever the adversary A makes a if-query with input r, B exam¬ 
ines whether there exists the pair (r, h) in H- list. If so, return h as the answer to 
A; otherwise, randomly pick h £ M, put the pair (r, h) into H- list and return h 
as the answer to A. Clearly, the simulation on H is perfect. 

• Challenge. When A outputs two messages A/ (J and Mi, B picks randomly 
a string d £ Ad and sets C as the ciphertext pair ( y 2 ,d ). It then gives 
C to A as the challenge. Notice that, the plaintext corresponding to C is 
d © H{x( loe *y^ los * y2 ) = d 0 H(x ZlZ2 ) = d © H(y). (Recall that z lt z 2 , 
and y are all unknown to A and y is just the solution to the above PDH instance.) 

• Guess. A outputs its guess // £ {0,1}. At this point, B picks a random tuple 
( Xj , hj) from the H- list and outputs r 3 as the solution to the given PDH instance. 

It is easy to see that „4’s view in £Ts simulation is the same as that in a real attack, in 
other words, the simulation is perfect. So ^4’s advantage in this simulation will be e. 

We let PL be the event that y is queried to H oracle during £Ts simulation. Notice 
that H{y) is independent of _4’s view. If A never queries y to the H oracle in the above 
simulation, the plaintext corresponding to C is also independent of *4’s view. Therefore, 
in the simulation we have Pr[6 = b'\-A~L\ = 1/2. We know that in the real attack (and 



266 


CHAPTER 5. NONCOMMUTATIVE CRYPTOGRAPHY 


also in the simulation) j Pr[b = b'] — 1/2 | > e. We have 

Pr[6 = b'} = Pr[fo = b'\-YH]Pv[-YH] + Pr[6 = b'\H]Pr[H) 

< p r [b = l/\-<H]Pr[->H] + Pr [H\ 

= ipr[-. H] + Pr [H\ 

= l + 

Pr[fe = b'] > Pr[6 = b'\^'H]Pr[~^'H} 

= \p*hn] 

= ^(l-Pr[W]) 

= 

Hence, | Pr[6 = b'] - 1/2 | < |Pr [H\. Since | Pr[6 = b'] - 1/2 | > e, Pr [H\ > 2e. 
Furthermore, by the definition of the event TL, we know that y is in some tuple on the 
H- list with probability at least 2e. It follows that B outputs the correct answer to the 
above PDH instance with probability at least 2 e/qn- □ 


At PKC’99, Fujisaki and Okamoto [115] introduced a method to convert an IND- 
CPA encryption scheme into an IND-CCA2 scheme. For self-contained, we rephrase 
their main idea as follows. 

Suppose that n := {K,,£. V} is an IND-CPA secure public-key encryption scheme 
with key generation algorithm JC( l fc ), encryption algorithm £ p k{m, s ) and decryption 
algorithm T> s k(y), where pk and sk are a public key and the corresponding private key, 
to is a message with k + ko bits, s is a random string with l bits and y is a ciphertext. 
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The converted public-key encryption scheme II := {1C, £, V} is defined by 


AC( l fe ) := K.{l k+k °), 

£ P k(x, r) := £ pk (x \\ r,H(x \\ r)), 

J MSB k (D ak (y)), ify = £ p k(£ > s k(y),H(V sk (y))) 
T>sk{y) ■= < 

jL, otherwise 


where MSB k (•) returns the leading k bits of the input bit-string, H is a random function 
of {0,l} fc+fe ° -> {0,1}', a: is a message with k bits, r is a random string with fco bits 
and || denotes concatenation. 


Theorem 5.3.8 (Fujisaki-Okamoto Theorem [115]). Suppose that II(l fc+feo ) is an IND- 
CPA secure scheme and II is the converted scheme. If there exists a (t,qH,qD,t)- 
breaker A for n(l fe ) in the sense of IND-CCA2 in the random oracle model, there exist 
constant c and a (t', 0, 0, e')-breaker A' for n(l fc+fc °) where 


f = (e- q H ■ 2~( ko ~ 1 '>) ■ (1 - 2~ l °) qD and 

t' = t + qn ■ {Te(k) + c-k). 


Here, (t, qn, qD , e)-breaker A, means that A stops within t steps, succeeds with prob¬ 
ability at least e, makes at most qn queries to random oracle H, and makes at most 
qD queries to decryption oracle D sk . Tg(k) denotes the computational time of the 
encryption algorithm £ p k{-), and 

l 0 :=log 2 ( min {#{E pk (x,r )|r € {0,1}'}}). 

®e{o,i} fc + fc o 

Proof. See Theorem 3 in [115]. □ 

According to Fujisaki-Okamoto [115], we can convert our basic encryption into a 
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new which is of IND-CCA2 security by padding each plaintext with ko random bits. 
The new scheme has the same system parameters (R,m,n, M). The cryptographic 
hash function H in basic scheme is replaced with two new cryptographic hash functions 
Hi : {0, l} fc+fe ° —► Z + [x] and H 2 : R —t {0, l} fc + fe t\ w here k is the length of an 
original message. 

Protocol 5.3.9. Elgamal-Like Encryption (Improved) Scheme over Non-commutative 
Ring: 

• Setup: System public parameters include (R, m, n, M) and ko, H \. Hi- 

• Key generation: See the basic scheme. 

• Encryption: Given a message M £ M and receiver’s key (p, q,y = f(p) T " ■ 
q ■ f(p) n ) £ R 3 , the sender chooses a random r £ {0, l} fc ° and extracts 1 a 
polynomial h(x) = H\ (M || r) £ h + [x] so that h(j>) ^ 0 and then computes 

c - h{p) m ■ q ■ h(p ) n , d = H 2 {h(p) m • pk ■ h(p) n ) © (M II r). 

Output the ciphertext (c, d) £ R x {0, l} fe + fc °. 

• Decryption: Upon receiving a ciphertext (c, d) £ R x {0, l} fc+fe °, the receiver, 
by using his private key computes 

M' = H 2 (/ {p) m ■ c - f (p) n ) ® d. 

Extract g{x) = H\ (M') £ Z + [x\ and check whether c = g(p) m ■ q ■ g(p) n holds. 
If so, output the first k bits of M'\ otherwise, output _L. 

By Theorem 5.3.7 and Theorem 5.3.8, we have 


7 See Remark 5.3.5 for further discussion. 
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Theorem 5.3.10. Let li\ and II 2 be random oracles. Then the new scheme is an adap¬ 
tively chosen ciphertext secure (IND-CCA2) encryption under the PDH assumption. 
More specifically, suppose there is an IND-CCA2 adversary A that has advantage e 
against the new scheme within t, steps. Suppose A makes at most qo decryption queries, 
and at most qn^ qn 2 queries to the hash functions Hi, H 2 , respectively. Then there 
is an algorithm B which can solve PDH with the probability at least e' within i! steps, 
where 


t’ 


2 f e 

q Hl \ (1 — 2~ l °)i D +QH2 ‘ 
0(t- q H2 ■ ( T s {k) + c-k)) 


2~( fc o-i) 


and 


where c is a constant and Tg(k) denotes the computational time of the encryption algo¬ 
rithm Spk(-) in our basic scheme, and 

lo : = log 2 ( min [#{E pk (x, r)\r € {0,1}'}]). 

Proof. By the theorems 5.3.7 and 5.3.8, it can be immediately concluded that the new 
encryption is of IND-CCA2 security in the random oracle model under the PDH as¬ 
sumption. □ 


5.3.5 Instantiation and Illustration (I) 

In this subsection, we describe the method to construct a cryptographic hash that 
maps a binary string to a polynomial, such as H 1 : {0, l} fc+fc ° —>• Z + [x\. In particular, 
the resulting polynomials should satisfy more conditions, such as the condition h(p) 

0 and so on. We employ the so-called divide-and-conquer strategy to solve this problem: 
At first, we extract a polynomial h(x ) £ Z + [ 2 ;] from a binary string in {0, l} fc+fc °; Then, 
we adopt a deterministic way to transform h(x) to h( x) so that h(x) satisfies the desired 
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condition C. In other words, we need to consider the following issues: 

• Initialization. Suppose that there is a cryptographic hash function Hi which 
maps m G {0, l} fc+fc ° to (z 0 , z i, • • • , z dll ) G Z^» +1 , where d H ■ c M is large 
enough to resist brute force attack. 


• Transformation. For a polynomial h(x) Zq + Z\X + • • • + z dH x dH , it can be 
transformed to h(x) = h(x) + A with 

A = min{<5 G Z>o : h(x) + <5 • 1# G Z + [x\ D C}, 

where Z + [x] fl C is the set of polynomials in Z + [x] satisfying the given condition 
C. 


Now, let us illustrate the above method by using a special matrix ring: M 2 (Zjv), 
where N = p ■ q, p and q are two large secure primes. We have solid reasons to believe 
that SDP over M 2 (Zat) is intractable, since it is infeasible to extract 

^4 = ^ q q ^ G M 2 (Zjy), a G Zjv 

from 

„ | a 2 mod N 0 | 

A 2 =\ G M 2 (Zjv) 

V ° V 

without knowing the factoring of N. 

Example 1. Diffie-Hellman-Like key agreement over matrix rings. Let N = 7 ■ 11. 
Alice chooses 



m = 3, n = 5, A = 


and f(x) = 3x 3 + Ax 2 + 5x + 6. 
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She computes 


,f(A) = 3 • 


2 5 
7 4 


+ 4 ■ 


2 5 
7 4 


2 5 
7 4 


+ 6 -/ = 


35 12 
63 9 


and 


r a = 


35 12\ 3 /I 9\ /35 12\ 5 /49 53 


63 9 


3 2 / V 63 9 


42 31 


Then, she sends to, n, A, B. and r ,\ to Bob. Upon receiving to, n, A, B, and r,\ from 
Alice, Bob chooses another polynomial h(x) = x 5 + 5x + 1 and computes 


h{A) = 


2 5 
7 4 


2 5 
7 4 


1 = 


64 13 
49 23 J ’ 


and 


Tb = 


64 13 


1 9 


64 13 


29 40 
52 6 


^49 23 J V 3 2 / V 49 23 

Then, he sends to Alice. Finally, Alice extracts the session key as 


K a = 


35 12 
63 9 


29 40 
52 6 


35 12 
63 9 


28 37 
14 40 


and Bob extracts the session key as 


K b = 


64 13 
49 23 


49 53 
42 31 


64 13 
49 23 


28 37 
14 40 


Example 2. Encryption/Decryption over matrix rings for the basic scheme. Suppose 
that in the basic scheme, the message space is and 


H : M 2 (Zat) —> M 2 (Zjv),TOjj i->- 2 mij mod N, 
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is a cryptographic hash function. Suppose that the remained system parameters are 


m = 3, n = 5, p 




Suppose that the polynomial /( x) picked by Alice is just that of in example 1. That 
is, Alice’s private key is f(p) = ( 33 'g), and the corresponding public key is pk = 
f(p) 3 qf(p) 5 = (42 31 )• Bob picks a random message M = (34 1 g). Suppose the 

random polynomial he picked is h(p) = * 3 ). Now, he computes the ciphertext 

(c, d) as follows: 


c = h(pfqh(pf 


f 64 13 \ 3 (\ 9 \ /64 13 \ 5 
\49 23 J \3 2 / \49 23J 


29 40 \ 
52 6 )’ 


d 


H(h(p) 3 ■ pk ■ h(p) 5 ) ® M 

(f 64 13\ 3 /49 53 \ / 64 13 \ 5 \ /27 19 \ 
y \49 23 J \42 31 / \49 23 / J * V 34 8 / 


/ f 2 28 2 37 \ 1 

= {{ 2 u 2m )^ N / 

/ 58 51A / 27 19 
\60 23 / ^ \ 34 8 


27 
34 
( 33 
l 30 
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Upon receiving the above ciphertext, Alice decrypts it as follows: 


M' = H(f(p) 3 ■ c ■ f(p) 5 ) © d 



29 40 \ /35 12 
52 6 ) V 63 9 

/ 33 32 
30 31 

33 32 
30 31 

33 32 \ _ ( 27 19 
30 31 ) ~ V 34 8 



mod N 


= M. 


Example 3. Encryption/Decryption over matrix rings for the new scheme. Suppose that 
in the new scheme, the message space isA4 = j^“ qJ : a, b,c £ Zjv j, and 


a b 


H ± : M x Z N -)• Z+ [*], ( ( “ " ) , r ) <->• 2 r + 2 a x + 2 b x 2 + 2 c x 3 


For more simplicity, we define 


(M || r) ^ 


0 0 
0 r 


a b 
c r 


In addition, H 2 : M 2 (Z N ) —y A4 x Z^ can be defined as 


a b 


(M || r), 


where M = ^ 2 2c 2 Q ^ mod N,r = 2 d mod N. Suppose that Alice’s private/public 
keys are as the same as that in the basic scheme. Bob picks a message M = (^ ^). 

Suppose r = 35. Then, he extracts a polynomial h{x) and compute h(p) as follows: 


h(x) = 2 35 + 2 27 x + 2 19 x 2 + 2 34 x 3 mod N 

= 32 -|- 29x + 72x 2 16x 3 , 
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h{p) = 32 • / + 29 • 




+ 16 • 



37 

42 


30 

49 


7 ^ 0 . 


Note that if h(x) does not satisfy the condition h[p) y 0, he should transform hix) to 
h{x) = h(x) + A, where 


A = min 


|S G Z> 0 : hip) + S ■ 



Then, the ciphertext is (c, d), where 


c = h{pfqh(p) 5 = 


37 30 


1 9 
3 2 


d = 


42 49 

H{h{p ) 3 ■ pk ■ hip) 5 ) ® (M || r) 

H 


37 

42 


30 

49 



49 53\ /37 30 
42 31 ) \42 49 

27 19 
34 35 

27 19 
34 35 
27 19\ _ /34 47 
34 35 7 V 27 16 


mod N 


65 

35 


37 

7 



Upon receiving the above ciphertext, Alice decrypts it as follows: 


M' = H{fipf ■ c ■ f(p) 5 ) © d 

(35 12\ 3 / 65 37 \ /35 12 \ 5 \ /34 47 \ 

\ 63 9 y v 35 7 y v 63 9 J y 0 V 27 !6y 


H 
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- ((£ ")—) 
/ 57 60 \ / 34 47 \ 

= (57 5l) 0 U 16J 

/ 27 19 \ /0 0\ 

\ 34 0 J + VO 35 J 



/ 34 47 \ 
\27 16 ) 

(27 19\ 
= \34 35J 

M || r. 


5.3.6 Z-Modular Method over Noncommutative Groups/ 
Semigroups 

Suppose that (G, 1 q) is a noncommutative group, (R. +, •, 1 r) is a ring and there 

is monomorphism r : (G, •, 1g) —> (i?, ■) Ifl)- Then, the inverse map r 1 : r(G) —>• G 
is also a well-defined monomorphism. For a,b £ G, if r(a) + r{b) £ r(G), we define 

a ES 6 = r _1 (r(a) + r(&)), (5.16) 

and call it the quasi-sum of a and b. Similarly, for k £ R and a £ G, if k ■ r(a) £ t(G), 
we define 

a = r~ 1 (k ■ r(a)), (5.17) 

and call it the k quasi-multiple of a. 

Given a,b £ G and k • r(a) + r(6) £ r(G), it is easy to see that the monomorphism 
t is quasi-linear, which satisfies that the following equality 

Tik^aSb) = r((k IE a) EH 6) d<_ = Kla T (d ES b) 

= T ( T ~ 1 ( T ( C 0 + T ( k ))) 

= r(T" 1 (T(r“ 1 (fc-r(a))) + r(6))) 

= r(r _1 (/c • r(a) + r(6))) = k ■ r(a) + r(b). 
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Furthermore, for /( x) = Zo + z\x + • • • + z n x n G Z[x] and a G G, if /(r(a)) = 
Zo ■ lfl + Zi • r(a) + • • • + z n • r(a) ra G r(G), we define 

/(a) = r _1 (/(r(a))) = t - 1 ^ • lfl + Zi ■ r(a) H-F ■ r(a)"), (5.18) 

and call it the quasi-polynomial of / with respect to a. (Notice that, for arbitrary a, b € 
G,k £ R and /(a;) € Z[a;], a EH b, k IE a and /(a) are not always well-defined) 

Theorem 5.3.11. Suppose that ( G, ■, 1 q) is a noncommutative group, (R, +, •, 1 /,■) is 
a ring and r : (G, 1 q) —> ( R , 1^) is a monomorphism. For some a £ G and some 

f(x), h{x) £ Z[x], if both f(a) and h(a) are well-defined, we have 

/(a) • h(a) = h(a ) • /(a). 


Proof. 


f(a) ■ h(a) = T _1 (/(r(a))) • r _1 (/i(r(a))) 

= T_1 (/( r ( a )) ' h(r(a))) 

= T _1 (/i(r(a)) ■ f(r(a))) 

= T _1 (/i(T(a)))-r _1 (/(T(a))) 

= h(a)-f(a). 


Now, similar to the discussion in the subsection 5.3.2, we can discuss new problems 
over the noncommutative group (G, •, lg). Suppose that (R,+, •, 1/j) is a ring and 
T : (G, •, 1g) > (R, ■> 1 a) is a monomorphism. For any randomly picked element 

a £ G, we define a set P a C G by 


Pa = {/(a) : /(x) £ Z[x],f(r(a)) G r(G)}. 
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Then, we can define the PSD and PDH problems over (G, •) by a similar way: 

• Polynomial Symmetrical Decomposition (PSD*) Problem: Given (a, x, y) £ 

G 3 and m, n £ Z, find z £ P a so that y = z m xz n , where G is a noncommutative 
group. 

• Polynomial Diffie-Hellman (PDH*) Problem: Given a, x, x Zl , x Z2 , a,x £ G 

and Z\, Z 2 £ P a , compute x ZlZ2 or x Z2Zl , where G is a noncommutative group. 

Accordingly, the PSD* (PDH*, respectively) cryptographic assumptions over (G, •) 
says that PSD* (PDH*, respectively) problems over (G, •) is intractable, i.e., there does 
not exist probabilistic polynomial time algorithm which can solve PSD* (PDH*, re¬ 
spectively) problems over (G, •) with non-negligible advantage with respect to the pa¬ 
rameters of the problem scale. 

Under these assumptions, we have 

Protocol 5.3.12. Diffie-Hellman-Like Key Agreement Protocol over Noncommutative 
Group: 

(0) Suppose that (G, •, 1q) is a noncommutative group, (R, +, •, 1^) is a ring and 
T : (G, ■, 1g) —> (R ,1 h) is a monomorphism. Alice sends two random small, 
positive integers (say, less than 10) m,n £ Z and two random elements a,b £ G 
to Bob. 

(1) Alice chooses f{x) £ Z[x\ at random so that /(a) is well-defined, i.e., /(r(a)) £ 
t(G). Then, Alice takes f(a) as her private key. 

(2) Bob chooses h(x) £ Z[x] at random so that h(a) is well-defined, i.e., ft.(r(a)) £ 
t(G). Then, Bob takes h(a ) as his private key. 

(3) Alice computes = f(a) m ■ b ■ f(a) n and sends r a to Bob. 

(4) Bob computes rs = h(a) m ■ b ■ h(a) n and sends rs to Alice. 
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(5) Alice computes I\a = /(a) m ' r B • /(a)” as the shared session key. 

(6) Bob computes Kb = h(a) m ■ ta • h{a) n as the shared session key. 

In practice, the steps (0), (1), and (3) can be finished simultaneously and require 
only one pass communication from Alice to Bob. After that, the steps (2) and (4) can 
be finished simultaneously and require another pass communication from Bob to Alice. 
Finally, Alice and Bob can execute the steps (5) and (6), respectively. We can depict the 
protocol in Figure 5.5. 


Pass 

Alice 




Bob 


m, n 

G— Z 





a,b <- 

— G 





/<» 

A Z[x] 





s.t. /(r(a)) G t(G) 




1 

m,n,a,b,f (a) 771 6/(a) 71 




Kg) * 

$ 

- Z[x] 




s.t. h(r(a )) 

G 

t(G) 

2 


G 

h(a) rn bh(a) n 




K a = 

- f(a) m h(a) m bh(a) n f(a) n = 

K b = h{a) m f{a) m bf(a] 

r 

h(a) n 


Figure 5.5: Diffie-Hellman-Like Key Agreement over Noncommutative Groups 

Similarly, it is easy to describe ElGamal-like encryption schemes, including the 
basic scheme and the improved scheme as well, by using noncommutative groups as 
the underlying algebraic structure. 

Protocol 5.3.13. ElGamal-Like Encryption (Basic) Scheme over Noncommutative 
Group: 

• Setup: Suppose that ( G , •, 1 c) is a noncommutative group, (fi, +, •, 1b) is a ring 
and r : ( G , >, 1g) —> ( R , ■, 1r) is a monomorphism. We assume that SDP on G is 
intractable. Pick two small positive integers m, n G Z and two elements p,q G G 
at random. Let II : G —> A4 be a cryptographic hash function which maps G 
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to the message space AT Then, set the tuple ( G , R, r, m, n,p, q,A4,H) as the 
public parameters of the system. 

• Key generation: Each user chooses a random polynomial f(x) £ Z [./:] so that 
f( T (p )) G t(G) and takes sk = f(p) as his private key, then computes and 
publishes his public key pk = f(p) m ■ q ■ f(p) n £ G. 

• Encryption: Given a message M £ JA and receiver’s key pk £ G. the sender 
chooses a random polynomial h(x) £ Z[x] so that h(r(p)) £ t(G). Compute 

c = h{p) m ■ q ■ h{p) n , d = H{h(p) m ■ pk ■ h(p) n ) © M, 

and output the ciphertext (c, d) £ G x A4. 

• Decryption: Upon receiving a ciphertext (c, d) £ Rx A4. the receiver, by using 
his private key f(p), computes the plaintext 

M = H(f(p) m ■ c ■ f(p) n ) e d 

Protocol 5.3.14. Improved ElGamal-Like Encryption Scheme over Noncommutative 
Group: 

• Setup: The parameters G , /?, r, m, n. p. q. A4 are set as that in Protocol 5.3.13. 
In addition, suppose that H 1 : {0, l} fc+fc o —> Z + [x] and H- 2 : G —^ {0, l} fc+fe ° 
are two cryptographic hash functions, where k is the length of a message and k 0 
is the length of random string for padding. 

• Key generation: See Protocol 5.3.13. 

• Encryption: Given a message M £ Ad and receiver’s key pk £ G. the sender 
chooses a random r £ {0,1} fc ° and extracts a polynomial h(x) £ Z[x] so that 
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h( T (p )) £ r(G) and then computes 

c = h(p) m ■ q ■ h(p) n , d = H 2 {h(p) m • pk ■ h{p) n ) © (Af || r), 

and outputs the ciphertext (c, d) £ Rx {0, l} fc+fc o. 

• Decryption: Upon receiving a ciphertext (c, d) £ R x {0, l} fc+fe °, the receiver, 
by using his private key f(p), computes 

M' = H 2 (f(p) m -c-f(p) n )®d. 

Extract g(x) = £ Z[x] and check whether c = g(p) m ■ q ■ g{p) n holds. 

If so, output the first k bits of M'\ otherwise, output _L. 

The security and related proofs of the above cryptosystems are very similar, except 
replacing the PDH assumption over noncommutative ring R with the PDH* assumption 
over noncommutative group G. The similar constructions can also be obtained for the 
case when G is a noncommutative semigroup, except replacing Z and Z[x] with Z + 
and Z+ [a:| respectively. The main differences between the protocols and schemes over 
noncommutative rings and semigroups and those over noncommutative groups are: 

(1) m, n £ Z + for the schemes over rings and semigroups, while to, n £ Z for the 
schemes over groups; 

(2) f,h £ Z+[x] for the schemes over rings and semigroups, while /, h £ {g £ 
Z[x] : g(r(a )) £ t(G )} C Z[x\ for the schemes over groups. 

5.3.7 Instantiation and Illustration (II) 

To illustrate our method, we take the minimal noncommutative group, say, the sym¬ 
metric group S 3 , as the underlying algebraic structure. We choose M 2 (Z 2 ) as the re- 
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quired ring. Define the required monomorphism r : S 3 —>• as follows: 









123 
2 1 3 
123 
32 1 




0 1 
1 0 
1 0 
1 1 


Example 4. Diffie-Hellman-Like Key Agreement over S 3 


Alice chooses 


m = 3, n = 5, A = 


123 
23 1 


,B = 


123 
2 1 3 


and picks a polynomial f(x) = 4x 2 + x + 2. Clearly, f(A) £ r(5s). Then, Alice 
computes 


f(A) 


r-\f(r(A))) 



ta 


/I2 3\ 3 /123\ /I2 3\ 5 

V231J ° U 13 / ° V 231 / 



Send m, n. A, B , and r 4 to Bob. 


Upon receiving m, n, A, B, and f(A) from Alice, Bob chooses another random 
polynomial h(x) = 4a; 4 + x 3 + 4x 2 + 3x + 4. Clearly, h(A) £ r(<S , 3 ). Then, Bob 
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computes 


HA) 


tb 


t 1 (h(T{A))) 





+ 4 * / 



/I2 3\ 3 /1 2 3\ / 123V 5 /1 2 3\ 

V3 1 2y) ° ^2 1 3J ° V3 1 2J ~ \ 1 3 2 J ’ 


Send tb to Alice. 


Finally, Alice extracts the session key 


I<a 


/l 2 3\ 3 /l 2 3\ /123V 5 

\2 3 1/ ° U 32 / ° \23lJ 



and Bob extracts the session key 


K b = 


f 123 
\3 1 2 


/1 2 3\ /123\ 5 

\3 2 1/ ° \312j 



Example 5. Encryption/Decryption over S 3 


We can implement encryption/decryption by ways which are very similar to those 
in Example 2 and Example 3. 

At first, let us choose two prime p and q so that q\p — 1 and set Z p as the message 
space AT Also, we assume that g is a generator of order q. Then, we define 

H : S 3 —» M., ( ^ ^ i->- g <T i+ 2 ' CT 2+2 <73 mo( jp ) 

\(Ji cr 2 03/ 

Hi : M x Zjy —»• Z + [x\, (M,r ) i->ro + r\x + r 2 :r 2 + • • • + r n x n , 
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where all coefficients ry, 0 <i< k. are determined by the following process 8 : 

M = rk 0 + r 0 , 0 < r 0 < r, 
r = r 0 ki +n, 0 < n < r 0 , 
ro = rik 2 + r 2 , 0 < r 2 < n, 


n_ 2 = + n, 0 < n < n_i, 


1 — Tnkn +1 T 'f'n+li fn +1 — 0- 


For simplicity, we define 

M\\r = r- p + M £ Z. 


It is easy to extract M from M || r by M = (M || r) mod p. Another required hash 
H 2 : S 3 —> A4 x Zjv can be defined as 

f 1 2 3 H> (p <7l+2 ' <72+22 ' <73 modp, p ‘ 73+2 ' <7l+22 <r2 modp). 

\(7l (72 0-3/ 

Next, let p = 23, <7=11 and g = 2. Suppose that other system parameters are 


to = 3, n = 5,p 


fl 23\ _ /I23\ 

\23iy ,q ~ V 213 / ’ 


Suppose that the polynomial f(x) picked by Alice is just that in example 4. Then, 
Alice’s private key is f(p) = ( 231 ) - an d the corresponding public key is 


pk = f{p) 3 qf(p ) 5 


/I 2 3\ 3 / 1 2 3\ /12 3V 5 / 1 2 3\ 

\2 31/ ° V213/° \23lJ ~ \3 2 ! J' 


8 Here, we assume that gcd(M, r) 7^ r; Otherwise, we set r = g r mod p and then resume the process. 
Also, we assume that M > r\ Otherwise, we can swap them in advance. 
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Bob picks a message M = 17 and a polynomial h(x) = 4a ; 4 + x 3 + 4a ; 2 + 3x + 4. 
Then, the permutation h(p) = ( 312 )- Compute the ciphertext (c, d) as follows: 


c = h(p) 3 qh{pf = 


123 
3 1 2 


d = H(h(p) 3 ■ pk ■ h(p) 5 ) © M 
3 


= H 


17 


1 23\ 

2 2 + 2 2 1 + 2 22 ' 3 mod 23 


123 
2 1 3 



17 


123 
3 1 2 


17 


123 

132 


= 18 0 17 = 3. 


On receiving the ciphertext, Alice decrypts it as follows: 


M' 


H(f(p) 3 -c-f(p) 5 )®d 



o 


/1 2 3 
\2 3 1 


0 3 


= H 



0 3 = (2 2 + 2 2 ' 1 + 2 22 ' 3 mod 23^ © 3 = 18 © 3 = 17 = M. 


For the improved encryption. Bob picks M = 19 and sets r = 7. Then, he extracts a 
polynomial as follows: 


h{x) = iTi(19, 7) = 5 + 2a; + a ; 2 + a; 3 . 


Clearly, h(r(j))) £ t(S I 3 ). Note that if h(x) does not satisfy the condition of h(r(p)) £ 
r(S l 3 ), he should transform h(x) to h(x) = h(x ) + A, where 


A = min < <5 e Z>o : h{r{p)) + 6 ■ 


1 0 
0 1 


G t(S 3 ) 
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Then, 


h(p) 


t 1 (/i(r(p))) 





Consequently, the corresponding ciphertext (c, d) is 


c 

d 


h(p) 3 qh(p) 5 


/l2 3\ 3 /123\ /I2 3\ 5 

\3 1 2y ° 1,213/ ° \312y 



H(h(p) 3 ■ pk ■ h(p) 5 ) ® (M || r) 



0(19 + 5-23) 



( 2 2 + 2 2 ' 1 + 2 2 


©134 
3 mod 23^j 


0 134= 18© 134 = 148. 


On receiving the ciphertext, Alice decrypts it as follows: 


M' = H(f(p) 3 ■ c ■ f(p) 5 ) © d 



= (2 2 + 2 2 ' 1 + 2 22 ' 3 mod 23^ © 148 = 18 © 148 = 134. 


Then, M = M' mod 23 = 19. 
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5.4 Using Monomials in Z-Modular Method 

If the polynomials used in Z-modular method are constrained to be monomials, then 
the conjugacy related assumptions can be viewed as special cases of the assumptions 
defined in Z-modular method. Under these assumptions, we [287] recently proposed 
several noncommutative cryptosystems. 

5.4.1 Conjugate Left Self-Distributed System (Conj-LD) 

At first, let us recall the definition of the conjugacy search problem and the so-called 
left self-distributive system [94]. 

Let (G, o, 1) be a noncommutative monoid with identity 1. For a € G, if there 
exists an element b £ G so that aob=l = boa, then we say that a is invertible, and 
call b an inverse of a. Note that not all elements in G are invertible. If the inverse of 
a, exists, it is unique, and denoted by a -1 . In a monoid, one can define positive integer 

powers of an element a: a 1 = a, and a n = a o • ■ ■ o a for n > 1. If b is the inverse of 

n times 

a, one can also define negative powers of a by setting a -1 = b and a~ n = bo ••• ob 

n times 

for n > 1. In addition, let us denote o° = 1 for each element a £ G. Throughout this 
section, let G _1 be the set of all invertible elements in G, i.e., 

G -1 = {a £ G : 3b £ G so that aob=l = bo a}. (5.19) 

In fact, (G^ 1 , o,l) forms a group. For clarity, we omit “o” in the following presentation, 
i.e., writing a o b as ab directly. 

The conjugacy problem is extensively studied in group theory. But in this section, 
we would like to extend the conjugacy concept to monoids by a similar manner: Given a 
monoid G, for Va £ G and Vx £ G -1 , xax -1 is conjugate to a, and call x a conjugator 
of the pair (a, xax~ 1 ). 
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Definition 5.4.1 (Conjugacy Search Problem, CSP). Let G be a noncommutative 
monoid. Given two elements a, b £ G so that b = xax “ 1 for some unknown ele¬ 
ment x £ G" 1 , the objective of the conjugacy search problem in G is to find x' £ G" 1 
so that b = x'ax' -1 holds. Here, x' is not required to be x. 

Definition 5.4.2 (Left self-distributive system, LD [94]). Suppose that S' is a non-empty 
set, F : S x S S is a well-defined function and let us denote F(a, b) by F a (b). If the 
following rewritten formula holds, 

F r (F s (p)) = F FAs) (F r (p)), (Vp, r,s£S) (5.20) 

then, we call F. (•) a left self-distributive system , abbreviated as LD system. 

The terminology “left self-distributive” arises from the following analogical obser¬ 
vation: If we consider F r (s) as a binary operation r*s, then the formula (5.20) becomes 

r * (s * p) = (r * s) * (r * p), (5.21) 

i.e., the operation is left distributive with respect to itself [94], 

Combining the above two concepts, one can define the following LD system, named 
as Conj-LD system. 

Theorem 5.4.3 (Conj-LD System). Let G be a noncommutative monoid. The binary 
function F, given by the following conjugate operation 

F : G" 1 xG->G, (a, 6) aba" 1 , (5.22) 

is an LD system, abbreviated as Conj-LD. 


Proof. It is easy to see that F satisfies the rewritten formula (5.20). Thus, the above 
definitions F a (b) is an LD system. □ 
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In what follows, we prove some properties of the Conj-LD system. These prop¬ 
erties are useful from the cryptographic viewpoint, providing that the related hardness 
assumptions hold. 

Proposition 5.4.4. Let F be a Conj-LD system defined over a noncommutative monoid 
G. Given a £ G^ 1 and b,c £ G, we have 

(i) F a (a) = a; 

(ii) F a {b ) = c <^> F a -1 (c) = b; 

(iii) F a (bc) = F a (b)F a (c). 

Proof. Firstly, since aaa _1 = a, we have F a (a) = a. Next, F a (b) = c -£=> 
c = aba -1 <=> a~ 1 ca = b <=> F a -i(c) = b. Finally, F a (bc) = a(6c)a _1 = 
(aba~ 1 )(aca~ 1 ) = F a (b)F a (c). □ 

Proposition 5.4.5 (Power Law). Let F be a Conj-LD system defined over a noncommu¬ 
tative monoid G. Suppose that a £ Gand b £ G. Then, for arbitrary three positive 
integers m, s, t so that m = s + t, we have 


F a (b m ) = F a (b s )F a (b t ) = F™(b ) and F am (b) = F a s (F a * (b) ). (5.23) 

Proof See the property (iii) in Proposition 1 and the definition of the Conj-LD system. 

Remark 5.4.6. The term of left self-distributive system is due to the following reasons: 

• The binary function defined by the formula (5.22) does satisfy the left self¬ 
distributiveness defined by the formula (5.20). In addition, it is more convenient 
to use F a (b) than to use aba -1 in the sequel presentation, especially when some 
additional operations are exerted on a and a -1 simultaneously from both sides. 
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• In 2006, Dehorney [94] proposed an authentication scheme based on left self¬ 
distributive systems in braid groups. Although some cryptanalysis on Dehorney’s 
authentication scheme were reported [202], we find that Dehorney’s work is still 
meaningful at least in the following two aspects: (1) self-distributive systems can 
be defined over arbitrary noncommutative monoids, rather than braid groups; (2) 
self-distributive systems have the potential for building variety of cryptographic 
schemes, rather than authentication schemes. Therefore, we would like to use 
the terminology of (left) self-distributive system to give Dehornoy the credit for 
coining this concept. 

Now, using the notation of F.(-), the intractability assumption of the CSP problem in 
G can be re-formulated as follows: It is hard to retrieve a' from the given pair (a, F a (b)) 
so that F a (b) = F a i ( b ). We must take care of the relationship between the intractability 
assumption of CSP and the hardness CSP instances. The CSP problem is defined here as 
a worst-case problem, whereas from the cryptographic viewpoint, one needs average- 
case hardness for CSP instances. Therefore, we need a practical sampling algorithm 
that can produce hard CSP instances over G. For a generic noncommutative monoid 
G without explicit definition or presentation, it is difficult to determine whether we can 
sample hard CSP instances over G. Afterwards, the CSP instances used in our proposal 
are always assumed to be hard. 

5.4.2 New Assumptions in Conj-LD Systems 

Let G be a noncommutative monoid. Given a Conj-LD system F over a noncom¬ 
mutative monoid G (cf. Definition 5.4.3). Let a £ G _1 and G a denote the subgroup 
generated by {a, a -1 }, i.e., G a — (a, a -1 ). Now, given b £ G, we define the following 
notations: 

• T = {1, • • • , n} is a finite subset of Z, where n is the order of G a 9 . 

In case G„ is infinite, we can set n as a fixed integer that is large enough, say 160 bits, to resist exhaustive 
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• The symbols “G T” and “< — T” always indicate sampling procedures that pick 
random integers uniformly from T. 

• fc{a,b] — {Fa' (b) ■ i € T} is a finite subset of G. 

Note that in cryptographic applications, a, b should be chosen appropriately so that n 
and are large enough to resist exhaustive attacks. 

Definition 5.4.7 (CSP-based Computational Diffie-Hellman Problem: CSP-CDH). Let 
F be a Conj-LD system over a noncommutative monoid G and let A be an adversary. 
For given a G G~ 1 and b G G, consider the following experiment: 

r- • , csp—cdh 

Experiment Exp^ ^ 

z 4-T;X^F a ,(6); 

j <*-T-,Y<-F ai (by, 

Z g- A(X, Y)\ 

if Z = F a i+j (6) then b G- 1 else b G- 0; 
return b. 

Now define the advantage of A violating the CSP-based computational Diffie-Hellman 
assumption as 

Adv^T* = Pr[Exp“7 c ^ = 1]. (5.24) 

The CSP-CDH assumption states, roughly, that given F a i (6) and F al (&), where j 
are drawn at random from T, it is hard to compute F a i+j(b). Suppose the CSP-CDH 
assumption is moderate, the adversary is possible to compute something interesting, 
such as the most significant bit of F a i+j (b ) given F a i ( b ) and F al (b). This means the 
CSP-CDH problem is too weak to be directly used in cryptographic applications. Thus, 
we need the following stronger variants. 


attacks. Furthermore, to ensure the randomness of sampling from n should be the order of a factor- 

group of G a modulo the centralizer of b in G a ■ 
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Definition 5.4.8 (CSP-based Decisional Diffie-Hellman Problem: CSP-DDH). Let F 
be a Conj-LD system over a noncommutative monoid G and let A be an adversary. 
Given a € G _1 and b £ G, consider the following two experiments in a parallel manner 


r- • , f7> csp— ddh—real 

Experiment Exp^ ^ 

;X ^F a ,(b)- 
j£t -Y^F aJ (b)- 
z F a i+i (b)\ 
b £- A(X, Y, Z); 

return b. 


T-1 • . csv—ddh—rand 

Experiment Exp^i a 

i^T-X^F ai (b)-, 
j£t -Y^F a] (b)- 
£ ■£- T\ Z ■£- F a e{b)', 
b <- A(X,Y,Z); 

return b. 


Now define the advantage of A violating the CSP-based decisional Diffie-Hellman 
assumption as 


Adv c ; p ^ ddh = \Pr[Exp c ; p ^ ddh ~ real = 1] - Pr[F^p c ^ ddh ~ rand = 1] |. (5.25) 


That is, the CSP-DDH assumption states that the distributions (F a i (b), F a j (b), 
F a i+i (b)) and ( F a i (b), F a , (b), F a t ( b) ) are computationally indistinguishable when 
i, j, t are drawn at random from T. 

We now move on to another assumption that will be used in our proposal. Here, the 
adversary is allowed to access a restricted CSP-DDH oracle O v (-, •), which behaves as 
follows: 


O v (X, U) = 


l,if U = F V {X); 


(5.26) 


0, otherwise. 


That is, the oracle tells whether the second argument is conjugate to the first argument by 
v. This oracle can be treated as a restricted CSP-DDH oracle with one of its arguments 
being fixed as F v (b). 


Definition 5.4.9 (CSP-based Strong Diffie-Hellman Problem: CSP-SDH). Let F be a 
Conj-LD system over a noncommutative monoid G and let A be an adversary. Given 
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a € G 1 and b £ G, consider the following experiment 


Experiment Exp^ sdh 

i£j-,X<-F ai {b)-, 
j^T-Y^F aJ {b)- 
O v (X,U ) = f (U = F V (X)); 

if Z = F a i+j ( b ) then b 4— 1 else b ■*— 0; 
return b. 

Now define the advantage of A violating the CSP-based strong Diffie-Hellman assump¬ 
tion as 

Adv c ; p ~ sdh = Pr[Exp“7 sd?l = 1]. (5.27) 

The intuition behind the CSP-SDH assumption is that the restricted CSP-DDH or¬ 
acle is useless because the adversary already “knows” the answer to almost any query 
it will ask. Similar to [77], it is also worth mentioning that the CSP-SDH assumption 
is different from (and weaker than) the so-called gap CSP-CDH assumption where an 
adversary gets access to a full CSP-DDH decision oracle. 

Remark 5.4.10. At present, it is unclear whether the CSP-DDH problem is indeed hard 
or not. Intuitively, we cannot solve the CSP-DDH problem without solving the CSP 
problem if G is a generic monoid. In fact, the CSP problem and the CSP-DDH problem 
of Conj-LD systems over a noncommutative monoids are counterparts of the DLP prob¬ 
lem and the DDH problem over finite fields, respectively. According to [212], we know 
that the DLP problem and the DDH problem are polynomially equivalent in a generic 
cyclic group. Therefore, we speculate that the CSP problem and the CSP-DDH problem 
in a generic noncommutative monoid are polynomially equivalent. 
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5.4.3 Cryptosystems from Conj-LD Systems 

In this section, we always assume that F is a Conj-LD system defined over a non- 
commutative monoid G, and a £ G _1 and b £ G. 

As a warmup step, let us at first describe a Diffie-Hellman-like key agreement pro¬ 
tocol by using the CSP-DDH assumption over a noncommutative monoid G. Assume 
that Alice and Bob want to negotiate a common session key. Then, Alice (resp. Bob) 
picks s £ T (resp. t £ T). Then, send F a s(b) (resp. F a t(b)) to Bob (resp. Alice). 
Finally, both of them can extract F a s+t ( b ), by which a session key can be computed as 

K session = Kdf(F a s+t(b)), (5.28) 

where Kdf(-) is a key derivation function, such as KDF1 defined in IEEE Std 1363- 
2000 . 

The above protocol 10 immediately implies the following ElGamal-like construction, 
denoted by CSP-E1G. 

Protocol 5.4.11. CSP-Based ElGamal-Like Encryption Scheme (CSP-E1G): 

• Key-generation. Suppose that k is the security parameter, A4 = {0, l} fc is the 
message space, and C = /Cum x A4 is the ciphertext space. In addition, we need 
a cryptographic hash function H : /Cum —> A4. A user at first picks s £ T, and 
then publishes pk = F a s (b) as his public key, and keeps his secret key sk = s. 

• Encryption. Given the public-key pk £ /C[ a ,6] an d a message m £ A4, one picks 
t £ T, and then constructs a ciphertext as follows: 

c = (F at {b), in © H(F a t(pk))) (5.29) 

10 This protocol cannot resist the so-called man-in-middle attack. But in this section we don't pay attention 
to how to remedy it. 
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• Decryption. Given the secret key sgT and a ciphertext c = (ci, C 2 ) £ fc[a,b\ x 
A4 , one can extract a plaintext as follows: 

m = c 2 ® H(F a s(ci)) (5.30) 

The consistency of the CSP-E1G scheme directly comes from the power law of the 
Conj-LD system. The security of the CSP-E1G scheme is captured by the following 
theorem. 

Theorem 5.4.12 (IND-CPA of CSP-E1G). Based on the CSP-DDH assumption, we 
claim that the ciphertexts of the encryption scheme CSP-EIG are indistinguishable un¬ 
der chosen plaintext attacks in the standard model. 

Proof. Assume that the CSP-DDH assumption holds for the underlying noncommuta- 
tive monoid G. We will prove by contradiction that CSP-EIG is IND-CPA. Suppose that 
CSP-EIG is not IND-CPA, and let A be an algorithm which, on the system parameters 
a £ G _1 , b £ G and a random public key pk £ /C[ a {,], has probability non-negligibly 
greater than 1/2 of distinguishing random encryptions Enc{mf) and Enc(m. 1 ) of two 
messages mo,mi of its choice. Let Z = (F a s(b), F a t(b), F a u(b)) £ Kf 6 j be either 
a random CSP-DDH triple or a random triple, with equal probability. We will produce 
an algorithm B which can distinguish between the two cases, using A as an oracle, with 
high probability. 

The algorithm B who interacts with the algorithm A can be defined as follows: 

• B at first picks a random integer v £ T and sets the public-key as pk = 
F a s+v (6) £ /C[ Q) (,], which is then sent to A. 

• Upon receiving the public-key pk, A selects two messages mo, mi £ A4 with 
equal length as the challenge messages, which are then sent to B. 


• Upon receiving the challenge messages pair (mo, mi), B randomly picks another 
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integer w £ T, flips a coin /3 £ {0,1} and then replies A with the challenge 
ciphertext as follows: 

c} = (F a t+ W (b),mp® H(F a u+v+-w(b))). 

• Upon receiving the challenge ciphertext c^, A replies B with j3 £ {0,1}, i.e., ,4’s 
guess on /3. 

• Upon receiving /3 £ {0,1}, i.e., A’s guess on /3, B checks whether ,4’s guess is 
correct, i.e., whether f3 = /3 holds. 

• By repeating the above process with several different choices of random integers 
v,w, the algorithm B can determine with high probability whether or not A can 
determine the value of /3. Based on the detailed analysis given below B can, in 
this way, determine whether or not Z is a CSP-DDH triple, thus violating the 
CSP-DDH assumption over G. 

In detail, there are two cases to be taken into consideration during a single execution 
of the above interactive process between B and A. 

• Suppose that u = s + t. Then u + v + w = (s + f) + (t + w), so Z is a CSP-DDH 
triple in /C? h -. Moreover, all possible CSP-DDH triples w.r.t. (a, b) are equally 
likely to occur as Z, since v and w are random. Hence, is a valid random 
encryption of mp because F a t+ W (6) is random in /C[ a {,] • Under these conditions, 
the algorithm A, by hypothesis, will succeed in outputting /3 with probability 
exceeding 1/2 by a non-negligible quantity. 

• Suppose that u is random. Then Z is a random triple in /C? ,,, and all possi¬ 
ble triples belonging to JC? b - occur with equal probability. In this situation, the 
probability distribution of cj is identical to that of c^, w.r.t. all possible random 
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choices of v and w. It follows that the algorithm A cannot exhibit different be¬ 
havior for /? = 0 and /? = 1. Note that we can arrive at this conclusion even 
though the expression is an invalid encryption of mp — that is, even though 
there is no information about how A behaves on invalid inputs, it is certain that 
A cannot behave differently depending on the value of /?. 

The above analysis shows that if Z is a CSP-DDH triple then A with non-negligible 
probability exhibits different behavior depending on whether /3 = 0 or /3 = 1, whereas 
A must behave identically regardless of the value of (3 if Z is not a CSP-DDH triple. □ 

Based on the above scheme, it is not difficult to derive a CCA secure encryption 
scheme by employing the Fujisaki-Okamoto transformation. Here, we would like to 
give two different extensions that are enlightened by [1,77,91,177]. The first extension 
is called the hashed ElGamal variant that is IND-CCA secure in the random oracle 
model, and the second is called the Cramer-Shoup-like variant that is IND-CCA secure 
in the standard model. 

Protocol 5.4.13. CSP-hElG. 

• Key-generation. Suppose that k is the security parameter, Ai = {0, l} fc is the 
message space, and C = K-[ a ,b\ x A4 is the ciphertext space. In addition, we 
need a symmetric cipher n = ( E, D) with the key space K, and a hash function 
H : jq a — > 1C. A user at first picks an integer s £ T, and then publishes 
pk = F a s ( b ) as his public key, and keeps his secret key sk = s. 

• Encryption. Given the public-key pk £ /C[„./,| and a message m £ A4, one picks 
an integer t £ T, and then constructs a ciphertext c = (ci, C 2 ) as follows: 

d := F a t (6), T := F at (pk), K := H(c u T), c 2 := E K (m) (5.31) 


• Decryption. Given the secret key sgT and a ciphertext c = (ci, c 2 ) £ x 
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A4, one can extract a plaintext as follows: 

Z := F a s (d), K := H(c u Z), m := D K (c 2 ) (5.32) 

The consistency of the CSP-hEIG scheme can also be easily verified according to the 
power law of the Conj-LD system. The security of the CSP-hEIG scheme is formulated 
by the following theorem. 

Theorem 5.4.14 (IND -CCA of CSP-hEIG). If H is modeled as a random oracle, and 
the underlying symmetric cipher II is secure against chosen ciphertext attacks, then 
the hashed ElGamal encryption scheme CSP-hEIG is secure against chosen ciphertext 
attacks under the strong CSP-CDH assumption. 

Proof. See Theorem 2 in [1] and Theorem 1 in [177], as well as the improvement of 
DHIES given in Section 5.1 of [177]. 

Protocol 5.4.15. CSP-CS. 

• Key-generation. Suppose that k is the security parameter, A4 = {0, l} fc is the 
message space, and C = Kf^ a x IC[ a ,b] x M. is the ciphertext space, where K,[ a ,b] 
is defined as 


F[a,b] = {F a i(F a j 1 (b)F aj 2 (b)) : i,ji,j 2 € T}. 


In addition, we need a symmetric cipher II = (F. D) with the key space K, and 
two hash functions H : IC^ a —> T and Hi : /C[ a h] 1C. A user at first picks 
Xi, x 2 , X 3 , £4 £ T, and then publishes pk = (Xl, X 2 , X 3 , X 4 ) as his public 
key, and keeps his secret key sk = (xi, x 2 , X 3 , X4), where X,; = F a *i{b) for 
i = 1,2, 3,4. 
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• Encryption. Given the public-key pk = (A'-|. X 2 , X :i . X,\) £ JC? and a 
message m £ A4. one picks t £ T, and then constructs a ciphertext c = 
(ci, C 2 , C 3 , C 4 ) as follows: 

ci := F a t(b), c 2 := F a t(X 1 ), c 3 := F a t (F a h (X 2 )X 3 ), c 4 := E K (m), 
where h := H(c\ , c 2 ) and K := -Hi(F a t(X 4 )). 

• Decryption. Given the secret key (xi, a: 2 , X 3 , x 4 ) £ T 4 and a ciphertext c = 

(ci, c 2 , C 3 , C 4 ) £ )C[ a x x M, one at first computes h := H(a, c 2 ) and 

then tests if the following two equalities hold: 

F a * 1 (ci) = c 2 and F a h+x 2 (ci)F a x 3 (ci) = c 3 . 

If not, output J_. Otherwise, compute K := Hi(F a xi (ci)) and output m := 

D k {c 4 ). 

The consistency and the security of the CSP-CS scheme are formulated by the fol¬ 
lowing theorems, respectively. 

Theorem 5.4.16 (Consistency of CSP-CS). The CSP-CS scheme is consistent. 

Proof. Suppose that c = (ci, c 2 , c 3 , C 4 ) is a well-formed ciphertext on the message m. 
Then, there exists some integer t, £ T so that 

ci := F a t(b ), c 2 := F a t(Xi), C 3 := F a t (F a h (X 2 )X 3 ), c 4 := Exim), 
where h := 1T(ci,c 2 ) and K := Hi(F a t(X 4 )). Since Xi = F a *i(b) for i = 
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1,2,3,4, we have 

K = Hi(F a t(F a xi(b))) = Hi(F a t+ X4 (b) 
= ffi(F> 4 (F ot (6)) = Hi(F a * 4 (ci)), 

C2 = F a t(F a * 1 ( 6 )) = F a * 1+ t(b) 

= F a * i (F a t(b)) = F 0 ^i (ci), 


C 3 = F a t(F a h(F a x 2 (b))F a x 3 (b)) = F a t(F a h+x 2 (b)F a x 3 (6)) 

= -Fa 4 (-F a h+x 2 (b))F a t (F a x 3 (6)) = F a t+ ft +* 2 (6)i 7 ’ a t+x3 (&) 

= F a h+x 2 (F a t (b))F a x 3 (F a t(b)) = F a h+x 2 (c 1 )F a x 3 (ci). 

That is, the ciphertext c can stand the validation and the value of K used in encryp¬ 
tion C 4 = Ex{rn. ) is exactly the value of K used in decryption m = £ 1 ^( 04 ). Since 
II = (F. D) is symmetric, the output to of the decryption is exactly the input to of the 
encryption. Therefore, the CSP-CS scheme is consistent. 

Theorem 5.4.17 (IND -CCA of CSP-CS). Suppose H is a target collision resistant hash 
function. Further, suppose the CSP-DDH assumption holds, and the symmetric cipher 
II = ( E, D ) is secure against chosen ciphertext attack. Then CSP-CS is secure against 
chosen ciphertext attack. 

Proof. See Theorem 13 in [77], 

5.4.4 Security and Efficiency Issues on F a t ( 6 ) 

For computing F a t(b), we should at first compute a*, and then plus one inversion 
and two multiplications in the underlying noncommutative monoid G. When / is large, 
say several hundreds of digits, rather than to multiply a for / times, a similar “successive 
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doubling” method should be employed, and thus a factor of log t would be taken into 
consideration in performance evaluations. At present, it is enough to set t as an integer 
with 160 bits to resist exhaustive attacks. 

It is necessary to assume that the basic monoid operations (i.e., multiplication and 
inversion) can be finished efficiently. This assumption implies that the lengths of the 
representations of all elements in G, including a, b, a*, and F a t(b), should be polyno¬ 
mial in the system security parameters, since the results have to be provided in bits by 
using classical computers. 

Moreover, we require that there is a secure efficient canonical form for representing 
elements in G. This means that 

(C-l) By using this form, the representation of an element in G is unique. Otherwise, 
the proposed schemes cannot work. 

(C-2) The transformation from an element in G to its canonical form can be finished 
efficiently. Otherwise, the proposed schemes are impractical. 

(C-3) By using this form, the length of an element F a t(b) does not reveal any infor¬ 
mation about a*. Otherwise, the developed assumptions could suffer from the 
so-called length-based attacks. 


5.5 Improved Key Exchange over Thompson’s Group 

In 2005, Shpilrain and Ushakov proposed a key exchange protocol, referred 
to as SU05, based on the intractability of decomposition problem on Thompson’s 
group [259]. They claimed that the decomposition problem has the same difficulty level 
with conjugacy search problem [6, 175], and the advantage of the proposed protocol 
is that it is invulnerable to to length-based attack according to their simulation results. 
In 2007, Ruinskiy et al. [235] proposed an improved length-based attack, referred to 
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as RST07, which does indeed threaten the security of SU05. They used five methods, 
“using memory,” “avoiding repetitions,” “looking ahead,” “automorphism attacks,” and 
“alternative solutions,” to improve the basic length-based attack and tested their suc¬ 
cess rates of breaking SU05. From their simulation results, the best success rate is over 
80%. By investigating the properties of SU05 and the basic length-based attack, as well 
as the computational complexity of RST07, we [80] propose an improved key exchange 
protocol over Thompson’s Group. It can resist known length-based attacks, including 
RST07 and other similar ones. 

5.5.1 Thompson’s Group and Decomposition Problem 

Thompson’s group F is well known in many areas of mathematics, including alge¬ 
bra, geometry, and analysis. This group is infinite and noncommutative. It is important 
that Thompson’s group has the following nice presentation in terms of generators and 
relations: 

F = (x 0 ,x 1 ,x 2 , ■ ■ ■ \x~ 1 x k x i = x k +i(k > i)) (5.33) 

This presentation is infinite. There are also finite presentations of this group, for exam¬ 
ple, 

F = (x 0 ,x 1 ,x 2 ,x 3 ,x 4 \x~ 1 x k x i = x k+1 {k > i,k < 4)) 

For the infinite presentation, any w € F can be represented as a unique normal form 

■ r:■ * * * Xi s Xjt * * * -J'.j ! (5.34) 


so that 

• (NF1) *i < ■ ■ ■ <i s and ji < • • • < j t 

• (NF2) if both Xi and a ;” 1 occur, then either £ i+1 or xT 1 , occurs, too. 
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The time complexity of reducing a word of length n to the normal form in Thompson’s 
group is 0(\n\ log |n|), which is very efficient. Since each word has a unique normal 
form, we use “word length’’ to represent “length of the word’s normal form” in the rest 
of this section. 

Recall the decomposition problem over braid group (See Section 5.2.2), we define 
the decomposition problem over Thompson’s group F as follows: Given a subset A C 
F and a pair of element (w, w') £ F 2 , find two elements x, y £ A so that w’ = x-w-y. 
In fact, the conjugacy search problem is a special case of the decomposition problem in 
the sense of taking x = y~ l . 

5.5.2 Analysis of SU05 Protocol 

Based on the intractability assumption of the decomposition problem over arbitrary 
(semi) group G, achieving key agreement is quite straightforward: given two subsets 
A, B C G so that ab = ba for any a £ A.b £ /i, and given a public element w £ G. 
Alice selects private a\ £ A, b\ £ B and sends the element a \ wb\ to Bob. Similarly, 
Bob selects private b 2 £ B, a 2 £ A and sends the element b 2 wa 2 to Alice. Then 
Alice computes K hlice = aib 2 wa 2 bi and Bob computes K Bob = b 2 a\wbia 2 . Since 
a.ibj = bjdi ( i,j = 1, 2) in G, one has K Alice = K Bob = K, which can be used as 
Alice’s and Bob’s common secret key. 

The non-triviality of the SU05 protocol lies in instantiating with the Thompson’s 
group F given by its standard infinite presentation (5.33) and the method for defining 
the suite subset A,BCF, as well as the method for sampling related elements in F. 

Suppose that s £ N + is the first system parameter, which is relevant to the size 
of following generating groups. Let Sa = {xox^ 1 , X 0 X 2 1 , • • • jXoa:" 1 }, Sb = 
{x s+ i,x s+ 2, • • • , x 2s }, Sw = {xi,X2, • • • , x s+2 } be the generating groups, and de¬ 
fine the groups generated by 1 , S^ 1 , as A S ,B S and W, respectively. Obviously, 
A s and B s are subgroups of F and according to [259], for V £ A s and Mb £ B s , 
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ab = ba. 

Another system parameter of the protocol, L £ N + , is chosen to control the word 
length. SU05 uses the same method to randomly generate a±,a 2 £ A s ,bi,b 2 , £ B s and 
w £ W. We take ai as an example to analyze the generating process. 

The generating process begins with an empty word e. Let uq = e. Firstly, randomly 
choose an element r± from Sj 1 , and multiply uq on the right by r-| and get u\. For 
example, if r\ = XoX^ , then ui = uor\ = XqX ^ . Repeat the previous step until the 
word length reaches L. Then we have generated a random word ai £ A s of length L. 

According to analysis of the generating process of a\, we find that a± can always 
be generated within finite steps from an empty word to a word of length L, due to one 
property of Thompson’s group: with very high probability, product of two words has 
larger length than any one of the two words. Thus after each multiplication, the word 
length increases with high probability. As long as the generators are randomly chosen, 
the word length will finally reach L within finite steps. Suppose the expectation of word 
length increment after each step is E(Al), then on average after L/E(Al) steps, a word 
of length L can be generated. Here E(Al) is a constant which only relates to subset 
S^ 1 , so the generating time of ci\ is linear in L. 

Although the generating process is efficient due to the property of Thompson’s 
group we mentioned above, the protocol is also insecure under the length-based attacks 
due to the same reason. 

5.5.3 Analysis of RST07 Attack 

At first, let us review the process of the basic length-based attack and analyze the 
capability of SU05 for resisting the basic length-based attack. Let G be a subgroup of 
Thompson’s group F, generated by the generators in Sc = {f£ [ ■ ■ ■ • . 1 }. For any 

unknown y,w £ G, given the product z = yw and a black box BOX, where for any 
w' £ G, if w' = w holds, BOX(w') = 1, otherwise BOX(u/) = 0. The purpose of 
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length-based attack is to output the exact w. 

Represent y as the product of generators, i.e., y = y\y 2 ■ • • y n , where yi £ Sq- 
Then, we have z = t/ij /2 • • • y n w. Let t(z) be the word length of z. Since in Thompson’s 
group, “with very high probability, product of two words has larger length than any one 
of the two words,” the following inequality also holds with very high probability 

£{y^z) < £(z) < £{yjz), (5.35) 

where y,j £ Sq and y 3 ^ y^ 1 . It indicates that if we multiply each of the 2k generators 
on the left of z, except 1 , other 2k — 1 generators will make the length of product 
increase with very high probability. 

Based on this observation, a basic length-based attack algorithm can be formalized 
as follows: 

Algorithm 1 Basic Length-based Attack 
Procedure Basic Length-based Attack 
Input: Product z = yw, black box BOX 
Output: w or _L 

1: z ■£- yw 

2 : while running time does not exceed limitation do 
3: choose h £ Sq so that £(h~ 1 z) < £(g~ 1 z) for all g £ Sq 

4: z <- h~ 1 z 

5: ifBOX(z)= 1 then 

6: return z 

7: end if 

8 : end while 
9: return _L 
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Note that the algorithm needs a limitation of running time in order to stop looping 
if it keeps failing within a long time. As we can see, the algorithm is based on the 
assumption that the generator h which minimizes £{h~ 1 z) is the right decomposition. 

We take the following example to analyze the attack algorithm. Assume k = 3, i.e., 
Sc: = Let n = 3 and y = gig^ 1 . The process of generating y can 

be seen as operation on a 2/c-ary tree, as shown in Fig 5.6(a). It begins with an empty 
word e and one of the 2 k(k = 3) child-nodes, y-\, which is randomly chosen. Then, 
repeat the previous step until some y n is chosen so that the length of y = t/ij /2 • • • Un 
is satisfied. Since the 2/c-ary tree has (2k) n leaf-nodes at the nth level, where each 
leaf-node represents a possible value of y, it is impossible to find y with brute force 
search. 



Figure 5.6: An example for analyzing basic length-based attack 

The process of attack is reverse for instance searching on a 2/e-ary tree. Dark nodes 
are the targets of attack which forms the optimal search path (as shown in Figure 5.6(b)). 
The best result of an attack algorithm is to find this path which indicates decomposition 
of y. However, mostly there are more than one node to choose in step 5 of algorithm ??. 
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For example, in Fig 5.6(b), during the process of searching in the 2nd level, if there are 
two child-nodes P, Q with equal length and the algorithm chooses node Q wrongly, then 
the algorithm has to search all the child-nodes of Q which has smaller length than P 
before turning back to P. It makes the algorithm fall into an exponential search in the 
worst case. If there are on average two candidate nodes in each level, then the time 
complexity of attack algorithm is 0(2"). This should be the main reason why basic 
length-based attack cannot defeat SU05 [259]. 

Next, let us analyze the performance of RST07, i.e., the improved length-based 
attack proposed by Ruinskiy et al. [235]. RST07 includes the following five improve¬ 
ments. We will analyze them one by one with the purpose of finding out methods for 
resisting this improved attack. 

• Using memory. Using memory increases width of search. By using memory, 
the algorithm computes 2 km child-nodes from M subtrees and chooses from 
them the shortest M ones as the roots of subtrees for the next loop. As a re¬ 
sult, the search width is enhanced from 1 to M. By this, the algorithm be¬ 
comes efficient, but it is still exponential. For example, if in any loop, the right 
node is not included in the M candidates, then the algorithm may degenerate 
to exponential. Suppose there exits a yj so that £(yjWj+ 1 ) < where 

Wj. |_i = yj. |_i • • • y n , say y :l left multiplies Wj+ 1 makes its length decrease. In 
this situation, the right node may not be included in the M candidates, because 
the length of child-node, referred to as ijj, increases, but it happens to be correct. 
In fact, this is the most common situation in which the basic length-based attack 
fails, and the success of the attack is based on the core assumption that direction 
of length descent is correct. However, the above situation is just opposite. If 
we introduce more like situations, the success rate of the attack algorithm will 
obviously decrease. 
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• Avoiding repetitions. Avoiding repetitions is an improvement usually seen in 
search. Since two nodes in the search tree may have the same value, the algo¬ 
rithm maintains a hash table to record values of visited nodes. If the same value 
appears again, then the node will be canceled from the candidates list. Therefore, 
avoiding repetitions not only improves efficiency of the algorithm, but also pre¬ 
vents the algorithm from trapping into a closed loop. The extra time and space 
costs involved in the method are negligible. 

• Look-ahead. Look-ahead increases depth of search. The original algorithm 
searches one level each time, while the method searches p level each time. The 
problem of look-ahead is obvious. On one hand, the time complexity it involves 
increases exponentially with p. Because the time cost of traversing a p-level sub¬ 
tree is (2 k) p , p should not be large. On the other hand, since p is not large, if 
multiple right nodes are increased in length, even if the algorithm looks ahead 
for p steps, it still cannot find the right path. For example, in a p-level subtree, if 
there are p/2 right nodes being increased in length, then the right node at level p 
is also increased in length, thus the algorithm will again fall into an exponential 
search. Simulation results of RST07 prove this claim, for the algorithm success 
rate increases slightly by using look-ahead. 

• Automorphism attacks. From simulation results of RST07, the improvement 
of automorphism attack is not satisfied. It indicates that in Thompson’s group, at 
least under their parameters selection, random automorphism functions are highly 
correlative, thus effect of this method is negligible. 

• Alternative solutions. Alternative solution is not a general method, it is a spe¬ 
cific solution to SU05. Although this improvement is very efficient, it does not 
change the search complexity. In fact, this method helps the algorithm to find 
more potential right nodes which vastly decreases search time, but it is based on 
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the condition that the search direction is right. If the algorithm enters a wrong 
subtree, it still has large possibility to fall into an exponential search. 

In brief, the basic length-based attack frequently falls into exponential search, so 
its success rate is very low, while the most significant improvements of RST07 are us¬ 
ing memory and look-ahead, because to some extent they are able to avoid exponential 
search. However, the cost of look-ahead is too large to make it effective. Avoiding 
repetition is usually seen in search algorithm, although it is effective, the algorithm 
complexity is not changed. Automorphism attacks are restricted by the highly related 
automorphism functions, thus it is also not effective. Alternative solution not only en¬ 
hances verification efficiency but also decreases search volume, thus it obviously in¬ 
creases success rate. But it does not change search complexity from exponential to 
polynomial, and it is not a general method. 

Therefore, if we want to improve the security of the SU05, we need to make the 
attack algorithm fall into exponential search. In order to test efficiency of RST07, we 
realized SU05 and RST07 and acquired our own experiment data. Through the data 
analysis we propose our improved key exchange protocol on Thompson’s group. 

5.5.4 Tests and Improvements 

We choose to realize the combination of “using memory + avoid repetitions + alter¬ 
native solutions,” which has the highest success rate in the original paper. The simula¬ 
tion results are shown in Table 5.2, where 771 is the success rate of RST07 recovering 
a i, M = 1024. We change s and L to analyze success rates under different parameters, 
and use them as reference of latter experiments. Each success rate is the average value 
of over 1000 test cases, and the failure condition is searching over 100,000 nodes. 

Because of the possible differences between experiment equipments and between 
definitions of failure (how many nodes visited), our simulation results are different from 
those in the original paper. But we will continue to use our results as reference to 
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Table 5.2: Success rate of recovering a x 


L 

m/% | 


s = 3 

s = 4 

s = 5 

s = 6 

s = 7 

5 = 8 

64 

93.5 

82.6 

67.3 

50.1 

32.5 

11.6 

128 

34.5 

23.1 

17.2 

8.9 

3.1 

1.2 

256 

11.3 

6.2 

3.7 

1.2 

0.3 

0 

320 

8.8 

4.2 

1.5 

0.6 

0.1 

0 


analyze our improvements of SU05. 

As shown in Table 5.2, the success rate of the attack algorithm decreases dramat¬ 
ically with the increment of s and L. Irrespective of the increase in base number or 
exponent, efficiency of the algorithm decreases rapidly. The phenomenon itself shows 
the algorithm is exponential. Obviously, increasing protocol parameters is one of the 
direct methods to resist exponential attacks. 

Based on the analysis aforementioned, we find out that randomly generating a x leads 
to nondecreasing growth of its length. As a result, when left multiplying a\ to a-\ v.'b\ 
repeatedly, the length of product decreases gradually, and this situation just satisfies 
the success condition of length-based attacks. Thus we need to control the process of 
generating 0 \ to improve its robustness against the length-based attacks. Therefore, we 
propose an improved key exchange protocol over Thompson’s group as follows: 

1. Pick s £ [6,10] and L £ {512,514, • • • , 640}. Set the security parameters as 
N, T, R. Choose w £ W so that £{w) = L. Publish s, L , w , N, T, R. 

2. Alice randomly chooses secret a x £ A s , b x £ B s so that £(ai) = L,£(b x ) = L, 
and computes U\ = a x wb x . 

3. Suppose d\ = rir 2 • ■ ■ r n ,n £ Sj[,i = 1, • • • ,n, h = tit 2 ■ ■ -t m ,tj £ Sg,j = 

1, • • ■ , m. Alice verifies the following conditions. 

(a) n> N (and m > N) 

(b) £(r^ 1 r^l 1 ---r^ 1 u 1 ) > i{u x ) (and ■ ■ ■ t^_ T+1 ) > l{u x )) 
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(c) After ai’s first T factors are left multiplied to u\ (&i’s first T factors are 
right multiplied to u\), the length of the resulting word r > R. 

If above conditions are all satisfied, Alice sends u\ to Bob. Otherwise, go to step 
2 to regenerate oi, foi and compute u-\. 

4. Bob generates a 2 , b 2 and computes u 2 similarly as Alice does in step 2 and 3. 

5. Alice computes AT A i ice = a\u 2 b\ after getting u 2 from Bob. 

6 . Bob computes K Bob = b- 2 u\a 2 after getting u\ from Alice. 

There are two differences between the new and the original. One is that the system 
parameters s and L are increased. The other is that a -\. b \. a 2 . b 2 should satisfy the 
following requirements. 

We introduced three new parameters N, T, R in our protocol. Alice (and Bob) can 
decide them by herself (himself) to achieve different security levels. We take a \ as an 
example to explain the three parameters. (1) Let the number of a 1 ’s factors be greater 
than N. The more factors ai has, the larger the depth of the search tree is, the less likely 
the attack algorithm succeeds. (2) Suppose that the length of u\ does not decrease when 
it is left multiplied by the inverses of the first T factors of a\. It indicates that some of 
the first T factors increase the length of u-\. (3) Compute the maximum and minimum 
lengths in the process of left multiplying inverses of ai’s first T factors to u±, and define 
r as the difference of maximum and minimum lengths. Let r > R. A protocol with 
larger r is harder to be defeated by the attack algorithm. 

We repeat the simulation with our protocol to show its advantages. We still choose 
the combination of “using memory + avoid repetitions + alternative solutions” as attack 
algorithm, in which M = 1024. 

The purpose of our simulation is to show how the success rates of the attack algo¬ 


rithm are affected by the three new parameters. In order to reduce the affection of other 
parameters, we choose s £ (3,4) and L £ {64,128, 256}. 



5.5. IMPROVED KEY EXCHANGE OVER THOMPSON’S GROUP 


311 


• Given lower bound of factors’ number (parameter N). If N is too large, the 
efficiency of generating a\ will be low. Thus we should choose a proper N. To 
test success rate of RST07 recovering a\, we fix T = 0, R = 0 and change 
s, L , N respectively, as shown in Table 5.3. 


Table 5.3: Success rate of recovering a\ by RST07 with a restricted N 




N 

m/% 



s = 3 

5 = 4 



120 

55.6 

45.9 


: 64 

140 

52.8 

41.6 

L = 

160 

49.0 

40.2 



180 

45.7 

37.8 



240 

24.3 

17.4 

T _ 

128 

280 

22.0 

15.5 

Lj — 

320 

20.4 

14.9 



360 

18.1 

13.6 



480 

7.6 

4.4 

T — 

256 

560 

6.9 

3.8 

Lj — 

640 

6.7 

3.5 



720 

6.1 

3.2 


Obviously, for different L we need to choose different range of N. Comparing 
Table 5.3 with Table 5.2, we find that the success rate decreases rapidly. For the 
same pair of s and L , increasing N decreases the success rate slightly. Thus, we 
just need to choose a proper N. 

• Ensure the number of factors increasing (parameter T). T is used to make 
sure that the length of the resulting word does not decrease when the inverses of 
the first T factors of a± are left multiplied to v, \. Similarly, we should choose a 
proper T to guarantee the efficiency of generating ai. We fix N 0 .R = 0 and 
change s, L, T respectively, as shown in Table 5.4, to test success rate of RST07 
recovering ai. 

From Table 5.4 we can see that this method greatly decreases success rates with 
an increment of T. Note that with the increment of T, the time of generating a\ 
is increasing. When T = 100, it spends about 30 minutes to acquire a legal a\. 
This time is not acceptable. We suggest that T be less than 85. 
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Table 5.4: Success rate of recovering ci\ by RST07 with a restricted T 


T 

m/% ! 

s = 3 

s = 4 | 

L = 64 

L = 128 

L = 256 

L = 64 

L = 128 

L = 256 

40 

33.1 

12.6 

6.3 

31.6 

10.7 

4.7 

50 

25.3 

9.5 

4.2 

22.9 

7.5 

2.2 

60 

12.5 

6.7 

2.3 

10.2 

4.2 

1.0 


• Restriction for parameter R. R is the difference between the maximum length 
and the minimum length. To test success rate of RST07 recovering Oi, we fix 
N = 0,T = 0 and change s, L , R respectively. 


Table 5.5: Success rate of recovering ai by RST07 with a restricted R 


R 

m/% 

s = 3 

s = 4 j 

CD 

II 

L = 128 

L = 256 

L = 64 

L = 128 

L = 256 

6 

36.4 

18.6 

8.7 

32.5 

13.7 

4.9 

8 

32.1 

16.9 

8.0 

29.8 

11.5 

4.5 

10 

27.5 

13.9 

6.8 

26.6 

9.5 

3.9 


As shown in Table 5.5, this method also effectively decreases success rates. The 
larger R is, the longer it takes for the attack algorithm to arrive at correct nodes. 
Similarly, the time of generating R increases when it becomes larger. So R should 
not be too large. 

• Combination of above improvements. We take the three parameters into con¬ 
sideration simultaneously to design our last experiment. The choice of the param¬ 
eters are shown in Table 5.6, where ??5 is the success rate of RST07 recovering 

a x . 


Table 5.6: Success rate of recovering a-\ by RST07 with restricted N, T, R 


(AT, T, R) 

m/% 

s = 3 

s = 4 

L = 64 

L = 128 

L = 256 

CD 

II 

L = 128 

L = 256 

(120. 40, 6) 

19.8 

6.5 

1.4 

14.4 

4.8 

0.4 

(140, 50, 8) 

9.5 

3.9 

0.5 

7.9 

2.2 

0.1 

(160, 60, 10) 

4.1 

1.2 

0.2 

3.2 

0.6 

0 


Comparing this result with Table 5.2, we see the improvements are effective. 
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Although the improved length-based attack RST07 is effective, it does still not 
change its complexity from exponential to polynomial, and its success is based on the 
randomly generating process. If we modify the process of generating words, the attack 
algorithm becomes inefficient. In addition, the idea of our improved protocol can be 
extended to resist general length-based attacks against the protocols over other alge¬ 
braic structures. The core idea is that length-based attacks focus on the change of word 
lengths, so it can be used in all kinds of protocols over noncommutative groups. 


5.6 Notes 

In this chapter, we open the windows to noncommutative cryptography for those 
who are not familiar with this subject. Our introduction is far from complete. In par¬ 
ticular, we did not mention other attacks against the aforementioned noncommutative 
cryptosystems. We think that a cryptographic scheme or protocol that opens a new door 
for cryptographic applications has definitely great significance, even if the original ver¬ 
sion is insecure in some ways. We also introduce some of our contributions on this 
subject, which are published at AsiaCCS 2007, Inscrypt 2010, and SCIENCE CHINA 
Information Sciences, etc. We refer to [80,284—287] for more technical details. In addi¬ 
tion, the readers are also suggested to read the survey papers [112] and the books [218]. 

As for braid-based cryptography, one of the most challenging problem is how to 
sample hard CSP instances. It turns out that for a braid-based cryptographic scheme to 
be secure, it is essential that keys are selected from a “very small” subset rather than 
from the whole group. Constructing these subsets for a particular cryptographic scheme 
is usually a very challenging problem [218]. 

As for Z-modular method, there are at least three interesting and challenging di¬ 
rections that are to be developed. The first is to find more promising instantiations 
for various algebraic structures. The second is to design new cryptographic schemes 
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based on relevant cryptographic assumptions derived by Z-modular method. The third 
is to extend the Z-modular method from unitary polynomial to multivariate polynomial, 
and then bridge the Z-modular method and the well-known multivariate cryptographic 
method. 

Another interesting problem is to consider the braided Thompson group BV which 
was developed independently by Dehornoy and Brin. In geometry, an element in BV 
group can be viewed as the coupling of two elements in Thompson group F by using 
a braid (See Figure 5.7). According to Bux and Sonkin’s suggestion, BV group does 
not admit non-trivial linear representation. Thus, from a cryptographic perspective, it 
possesses the advantages of braid group and Thompson’s group simultaneously. 



(a) Two elements in F (b) One element in BV 


Figure 5.7: Geometric Illustration of Braided Thompson Group BV 



Chapter 6 


Perspectives 


In this chapter, we give some perspectives including some applications and some 
open problems of the new directions of modern cryptography. The applications cover 
all the wired and wireless communication networks, satellite communication networks, 
multicast/broadcast and TV networks, computer networks, all newly emerging net¬ 
works, such as Internet of Things, Cloud Computing, Social Networks, Named Data 
Networks, and the fields of the digital right management protection, radio-frequency 
identification, proof of taken path, conditional access, biometric authentication, and so 
on. 


6.1 On Proxy Re-Cryptography 

As we see, more and more researchers are working on proxy re-cryptography, es¬ 
pecially on its applications [245], It is safe to say that applications drive forward the 
research on proxy re-cryptography. 

Proxy re-cryptography is being applied to data sharing [104,151,168], group key 
management [81], cloud storage [197], vehicular ad hoc network (VANET) [269], mul- 
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ticast [149], digital rights management (DRM) [163,271], proof of taken path [11], 
anonymous routing [204], radio-frequency identification (RFID) [140, 170], certified 
mailing lists [171], and so on. These applications can be roughly classified into the 
following three kinds: 

Application 1: Inter-domain scenarios. Proxy re-cryptography is originally designed 
for these scenarios, where the signature (ciphertext) is desired to be verifiable 
(decryptable) in many domains [11,140, 163,170, 197,204,269,271], When a 
signature (ciphertext) travels in a new domain, it can be transformed to the cor¬ 
responding one in the new domain by using the transformation functionality of 
proxy re-cryptography. Once a signature (ciphertext) can travel across many do¬ 
mains as in its own domain, the problems of trust transfer, verifiability transfer, 
and decryption ability transfer can be solved easily, and the storage cost of differ¬ 
ent encryptions and signatures can be saved. Hence, the resulting system could 
become quite flexible and efficient. 

Application 2: Multi-receiver scenarios. In these scenarios, one sender usually sends 
an encryption to many receivers via a third party or several third parties [81,149, 
168,216]. In an ideal situation, no matter how many receivers exist and how many 
new receivers appear after the encryption, the computational cost of the encryp¬ 
tion on the sender side is constant, and only the intended receivers can recover the 
plaintext. By using proxy re-encryption, the above demand can be easily met. In 
particular, the sender, the third party, and the receivers act as the delegator, proxy, 
and delegatee(s) in proxy re-encryption, respectively. When a new receiver ap¬ 
pears, the sender only needs to send the corresponding re-encryption key to the 
proxy, and the proxy transforms the encryption to another encryption that can be 
decrypted by the new receiver. 


Application 3: Key revocation scenarios. In these scenarios, the data is usually en- 
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crypted under some keys and shared among a group of users via a server [81,104, 
151,168]. Such scenarios require the backward security and the forward security, 
which essentially require a key revocation process. The backward security guar¬ 
antees that the new user cannot access the old data, while the forward security 
prevents the user left from accessing new data. By using proxy re-encryption, 
once the data is re-encrypted by the server, it can be decrypted by the new de¬ 
cryption key (corresponding to the delegatee in proxy re-encryption), not the old 
decryption key (corresponding to the delegator in proxy re-encryption). Hence, 
the old decryption key is revoked. 

Generally speaking, the normal proxy re-cryptographic schemes defined in Chap¬ 
ter 2 cannot be used in the above scenarios directly. For example, the cloud stor¬ 
age [197] requires the threshold proxy re-encryption where the role of the proxy is 
played by a group of sub-proxies. On the other hand, the current solutions based on 
proxy re-cryptography are not yet perfect. For instance, the solution to the proof of 
taken path [11] cannot efficiently prove the exact path the user took. It is because that 
we do not have any multiuse, unidirectional proxy re-cryptographic scheme with con¬ 
stant size. 

Due to the above three situations in proxy re-cryptography, we can see a picture that 
there will be more new proxy re-cryptographic schemes designed for new applications, 
and more new applications based on proxy re-cryptography. 

6.2 On Attribute-Based Cryptography 

We present several application environments based on the research results in the 
attribute-based cryptography. As we know, attribute-based encryption could result in a 
perfect mergence of the encrypted storage and the access control [31,55,66,188,273, 
280, 282, 306]. These applications can be roughly classified into the following three 
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kinds: 

Application 1: Multi and fuzzy targeted encryption. Multi and fuzzy targeted en¬ 
cryption [227], is described as a new attribute-based encryption scenario. It 
means only one encrypted copy can be decrypted by different users with differ¬ 
ent private keys. Consider a scenario in which a large school periodically sends 
updated schedules to all the professors. Those files are encrypted under some 
access policies concerning a professor’s gender (Male,->Male), experience 
((> 5 years),-<(> 5 years)), department {Computer, -^(Computer)), and 
specialty ( Network, ~<{Network)). The school manager probably constructs an 
encrypted email with an access structure [Male) A (> 5 years) A ( Computer) 
to inform these professors the location of recent conferences. Suppose there is 
a male doctor. Jack, with seven years of work experience in a computer depart¬ 
ment. He is qualified to open the encrypted email since the attribute set of his 
secret key satisfies the access structure. However, a male professor in the Mathe¬ 
matics department is not qualified to open the email. As a direct result, this kind 
of encryption can be easily transformed to anonymous encryption schemes to pre¬ 
serve the receivers’ privacy [32,166,189,236]. We also want more applications 
on preserving privacy through this multi and fuzzy targeted encryption. 

Application 2: Trust authority application. In the ABE schemes, the central author¬ 
ity can decrypt all the ciphertexts. We first remove the central authority by the 
threshold multi-authority [292], Although no individual authority can decrypt all 
ciphertexts in the system, each authority can individually decrypt a part of ci¬ 
phertexts whose access structures are satisfied by the attributes managed by the 
authority. We further solve this problem to achieve the trustfulness of the author¬ 
ity [201]. In addition, more scenarios can be applied to multi-authority ABE to 
decentralize the threats from the authority. 
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Application 3: Conditional access system. Ciphertext policy attribute-based encryp¬ 
tion can be used in the conditional access system [31] of digital television [114, 
305]. Different users can be labeled with different attributes according to their 
reservation or purchase. TV programs are encrypted by an access structure and 
sent to all users. Only the users whose attributes satisfy the access structure can 
watch the TV programs. 

Application 4: Location-based service. Interval encryption can be used not only in 
the broadcast encryption schemes but also in the vehicle networks [15,147,150, 
238] and other location-based service networks [157,237]. The vehicle (equipped 
with the private key) can decrypt the ciphertext only if its private key belongs to 
the interval that is used in the encryption as a public key. No one else can decrypt 
without the related private keys. This kind of ciphertexts can be encrypted and 
stored at the service spots to construct networks for providing service. Interval 
encryption not only keeps the confidentiality of the message or service, but also 
provides a new solution to preserve the privacy in the vehicle networks [105], 

Application 5: Named data network application. The emerging network, called data 
network (NDN) [310], focuses on the new Internet architecture that can capitalize 
on strengths and address weaknesses of the Internet’s current host-based, point- 
to-point communication architecture in order to naturally accommodate patterns 
of communication. NDN has some innate privacy friendly features, such as lack 
of source and destination addresses in packets. In practice, this means that the ad¬ 
versary who eavesdrops on a link close to a content producer cannot immediately 
identify the consumer who expressed interest in that particular content. More¬ 
over, two features of standard NDN routers, content caching and collapsing of 
redundant interests, reduce the utility of eavesdropping near a content producer 
since not all interests for the same content reach its producer [98], However, 
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NDN provides no protection against an adversary that monitors local activities 
of a specific consumer. As most content names are expected to be semantically 
relevant to content itself, interests can leak a lot of information about the content 
they aim to retrieve. To mitigate this issue, “encrypted names” may be a solution. 
The producer encrypts the name. However, this simple approach does not provide 
names for routing or share the content in the requests. Attribute-based encryption 
could provide a perfect mergence of the encrypted storage and the access control. 

Application 6: Selective attribute delegation. Combined with the proxy re-encryption, 
attribute-based encryption could also be used in an application scenario of per¬ 
sonal information system in a university [100], In this system, there are some 
confidential records such as the grades of every student. This information is en¬ 
crypted under the access policy “((AGE > 40) A (Tenure))”. The professors 
who are older than 40 and have a tenure position would receive the secret keys 
corresponding to “AGE > 40”, “Tenure”, and thus they are qualified to retrieve 
the confidential records. Nevertheless, when these professors are on vacation, it 
is necessary to find some trustworthy substitutes who can decrypt these records in 
time. Therefore, ABPRE allows a qualified professor to freely designate a proxy 
who can translate these encrypted records to those encrypted with a different ac¬ 
cess policy (such as administrators with at least 10 years of working experience 
“(Admin) A (EXP > 10)”). Hence, even if no qualified professor is available, 
some highly experienced administrator can open the confidential records with the 
help of the professor’s proxy [14,154,190,239,256]. 

Application 7: Biometric authentication. An important application of FIBS deals 
with biometric authentication [185,220,301], A biometric authentication sys¬ 
tem is essentially a pattern-recognition system that recognizes a person based 
on a feature vector derived from a specific physiological or behavioral charac- 
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teristic that the person possesses. Since biometrics cannot be lost or forgotten 
like computer passwords, biometrics have the potential to offer higher security 
and more convenience for the users. However, two biometric feature scan re¬ 
sults are not identical with high probability. As a result, it is not a good solution 
to directly choose biometric features as the password or authentication for com¬ 
parison. FIBS system provides an attractive solution to biometric authentication 
using cryptographic techniques since two scan results have a certain (possibly 
high) proportion of overlaps for the same person while the proportion is low for 
the different persons. Using FIBS system [301], it is not necessary to store the 
biometric feature for comparison, which can save a lot of storage and achieve 
economic benefits. 


6.3 On Batch Cryptography 

Although the researches on batch cryptography started in 1989, there are still some 
open problems in the field. At the same time, applications based on the batch cryptog¬ 
raphy can be widely used. Let us conceive the perspective of batch cryptography. We 
present several application environments based on these research results on the batch 
cryptography. 

Application 1: Batch request process. In the cloud computing environment [281, 
292], the customer wants a handshake with the cloud server at the beginning of 
the communication. When the requests exceed the server’s handling ability, the 
response will be delayed and the service would be influenced in the way similar to 
the deny of service attacks. It becomes worse when the customer uses encryption 
to send requests. Batch cryptography has resolved this problem. When the sender 
sends requests using the cloud server’s public key, the cloud server can achieve 
batch key agreement to improve the efficiency and maintain the security as well. 
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It does not require the customers and the cloud server to do it in a point-to-point 
way. Here, we stress that it is an open problem how to apply the batch cryp¬ 
tography technique in every many-to-one communication environment to achieve 
efficiency and security. 

Application 2: Batch packet authentication. In the wireless networks such as ad-hoc 
networks [307] and delay-tolerant networks [311,312], packet authentication is a 
critical security service that ensures authenticity and integrity of packets during 
multi-hop transmissions. Public key signatures, which have been suggested in 
existing packet security protocol specification, achieve packet authentication at 
the cost of increased computational overhead and transmission overhead, and a 
higher energy consumption, which is not desirable for energy-constrained ad hoc 
networks and DTNs. Batch authentication schemes, through aggregate signature 
and batch verification, could achieve efficient packet authentication and cut down 
the communication cost in the resource-constrained networks. 

Application 3: Batch network coding. In the network coding scenarios, each packet 
is transmitted in the encrypted way by our batch RSA schemes. Each node in the 
networks can be equipped with the software or hardware, which can be designed 
as universal chips to parallely decrypt the ciphertext in a fixed block. We can 
use the subset of solutions of Plus-Type Equations or Minus-Type Equations and 
use one modular operation to solve such a problem. These kinds of chips can 
also be used in the key exchange schemes for the multi-request scenarios in cloud 
computing. 


6.4 On Noncommutative Cryptography 


Although the beginning of the research on noncommutative cryptography can be 
traced back to 1984, this field is considerably young. As far as we know, the ear- 
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liest formal appearance of the term “noncommutative cryptography” is at the second 
international conference on symbolic computation and cryptography (SCC 2010) (See 
http://scc2 010.rhul.ac.uk/). Informally, Myasinikov et al. used this term 
even earlier and the new upsurge of study on noncommutative cryptography owe a great 
deal of credits to their efforts. Now, let us conceive the perspective of noncommutative 
cryptography. 

Recently, Fine et al. [112] gave a list of open problems related to group-based cryp¬ 
tography. Most of these open problems are relevant to noncommutative cryptography, 
too. Instead of enumerating each problem based on concrete noncommutative alge¬ 
braic structures, we classify the open problems of noncommutative cryptography into 
the following categories: 

Open problem 1: What is the most appropriate noncommutative platform (group, 
semigroup, ring, or other algebraic structures) for cryptography? 

In fact, this is one of the most common problems and it is very difficult 
to answer. At first, it seems that braid group might not be a good candi¬ 
date, although it is probably the most “famous" platform for noncom¬ 
mutative cryptography. At present, we are even confronting the chal¬ 
lenge of generating secure keys for braid-based cryptography, need¬ 
less to say the recently published successful cryptanalysis on braid- 
based cryptographic schemes. Second, we believe that using special 
matrices in noncommutative cryptography has potential advantages. 

In particular, matrices have a ring structure, which means two binary 
operations rather than one can be used to “diffuse" transmissions. 
However, whenever matrices are used, there is always a danger of a 
linear algebra attack. A possible way to avoid this kind of attack might 
be using matrices over a rather peculiar semiring that does not admit 
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an embedding into a field. Third, as the well-known noncommuta- 
tive group, the symmetric group S n should be explored carefully. On 
one hand, the operations over S n can be implemented efficiently and 
certain hidden subgroup problem over S n can resist known quantum 
algorithm attacks; on the other hand, the CSP problem over S n seems 
tractable on average — thus we have to pay attention to other hard 
problems over S n . 

Open problem 2: How to estimate the hardness of the related cryptographic problems, 
especially when the problems are unsolvable or undecidable? 

The classical complexity theory always stops at the line when we 
conclude that the given computational/decisional problem is unsolv- 
able/undecidable. However, this kind of conclusions are not suffi¬ 
cient for cryptographic applications. For example, Diophantine equa¬ 
tions are unsolvable in general, but almost all published cryptographic 
schemes based on Diophantine equations are broken. This situation 
also happens for the knapsack problem which in the worst case is 
proved to be NP-hard. Therefore, to reduce the security of a crypto¬ 
graphic scheme to some underlying problem P, we should be confident 
on at least one of the following: (1) P is intractable in average case; 

(2) P is intractable in the worst case and we have an efficient method 
to sample many of the worst instances of P; (3) P is intractable in 
the worst case and the reduction also worst-case, i.e., broking of the 
scheme can lead to solving the arbitrary instance of P. 

Open problem 3: How to extend the theory of provable security so that it is suitable 
for noncommutative cryptography? 


The concept of indistinguishability plays a key role in the theory of 
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provable security. However, noncommutative cryptography always 
deals with finitely generated groups. Without proper sampling meth¬ 
ods, it is hard to define a desired distribution, needless to say indis- 
tinguishability between distributions. In addition, random objects are 
very important in cryptography. Thus we need not only efficient meth¬ 
ods to sample elements from a (probably infinite) space, but also well- 
established theory to estimate the randomness of the distributions ob¬ 
tained by given sampling methods. Fortunately, the probability theory 
on groups has been developed even before the birth of the public-key 
cryptography and now is available for analysis of probability mea¬ 
sures and relevant characteristics of noncommutative cryptography. 

Open problem 4: Is it possible to bridge noncommutative cryptography with quantum 
cryptography? 

The starting point of noncommutative cryptography is to resist quan¬ 
tum attacks and we learn that quantum cryptography is uncondition¬ 
ally secure. Thus, it is meaningful to bridge between the two sides. 

On one hand, the development of quantum theory does indeed ben¬ 
efit from employing matrices theory and noncommutative multiplica¬ 
tion [12], In particular, each quantum gate can be expressed as a 
unitary matrix. The non-commutativity of matrix multiplication im¬ 
plies that quantum operations are essentially noncommutative too. 

Thus we can try to research quantum cryptography by employing the 
methods from noncommutative cryptography, such as the ideas behind 
braid-based cryptography. On the other hand, we have already de¬ 
veloped some quantum algebraical objects and topological objects, 
such as quantum integers, quantum torus, quantum braids, and quail- 
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turn knots, etc. If the quantum versions of the corresponding classical 
cryptographic problems, say conjugator search problem over quantum 
braids, are intractable in the quantum Turing model, the quantum ver¬ 
sions of the corresponding classical cryptographic schemes and proto¬ 
cols, say A AG protocol over quantum braids, might be secure against 
quantum attacks. 

Open problem 5: Is it possible to bridge noncommutative cryptography with biologic 
cryptography? 

The field of DNA computing, or, more generally, biomolecular com¬ 
puting, was established in Leonard M. Adleman’s seminal paper [2]. 

DNA sequences are known to appear in the form of double helices 
in living cells, in which one DNA strand is hybridized to its comple¬ 
mentary strand through a series of hydrogen bonds. DNA computing 
requires that the self-assembly of the oligonucleotide strands happen 
in such a way that hybridization should occur in a manner compatible 
with the goals of computation. There are multiple methods for building 
a computing device based on DNA, each with its own advantages and 
disadvantages. Among them, the concept of toehold exchange mani¬ 
fests a noncommutative algebraic system. In this system, an input DNA 
strand binds to a sticky end, or toehold, on another DNA molecule, 
which allows it to displace another strand segment from the molecule. 

This allows the creation of modular logic components such as AND, 

OR, and NOT gates and signal amplifiers, which can be linked into 
arbitrarily large computers. Clearly, this kind of binding operation 
is noncommutative. Therefore, the remaining problem is to probe in¬ 
tractable 1 problems based on toehold exchange system. Later, we can 
1 Here, the term intractability should be considered in DNA computational environment. In fact, from the 
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design biologically cryptographic schemes. 

To conclude the exploration on the subject of noncommutative cryptography, we 
would like to quote paragraphs from the Fields Lecture that was given by Atiyah [12] 
at the World Mathematical Year 2000 Symposium: 

“A third theme is the shift from commutative to noncommutative. This is 
perhaps one of the most characteristic features of mathematics, particu¬ 
larly algebra, in the 20th century. The noncommutative aspect of algebra 
has been extremely prominent” ■ ■ • “All these are different ways or strands 
that form the basis of the introduction of noncommutative multiplication 
into algebra, which is the 'bread and butter’ of 20th century algebraic ma¬ 
chinery.” 

Is it possible that the introduction of noncommutative operations into cryptography 
would become the “bread and butter” of cryptographic machinery in the 21st century? 
We hope so. 


standpoint of computability theory, DNA computing does not provide any new capabilities. For example, 
if the space required for the solution of a problem grows exponentially with the size of the problem (i.e., 
EXPSPACE problems) on von Neumann machines, it still grows exponentially with the size of the problem on 
DNA machines. For very large EXPSPACE problems, the amount of DNA required is too large to be practical. 
(From Wikipedia, the free encyclopedia, http: //en. wikipedia. org/wiki/DNA_computing) 
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Appendix A: All 122 solutions of = 1 

l<z<8 ‘ 4 l<i<8 ' 4 


1: (2,3,7,43,1807,3263443,10650056950807,113423713055421844361000443) 

2: (2,3,7,43,1807,3263443,10650057792155.134811739261383753719) 

3: (2,3,7,43,1807,3263443,10652778201539,41691378583707695) 

4: (2,3,7,43,1807,3263443,10699597306267,2300171639909623) 

5: (2,3,7,43,1807,3263447,2130014000915,22684798220467498090185211) 

6: (2,3,7,43,1807,3263447,2130014387399,11739058070963394487) 

7: (2,3,7,43,1807,3263479,288182779055,243811701792623) 

8: (2,3,7,43,1807,3263483,260604226747,80249212735823) 

9: (2,3,7,43,1807,3263495,200947673239,67137380077902268343) 

10: (2,3,7,43,1807,3263495,200949404503,23316080984691959) 

11: (2,3,7,43,1807,3263531,119666789791,8081907028348841339) 

12: (2,3,7,43,1807,3263591,71480133827,761302020256877140089595) 

13: (2,3,7,43,1807,3263779,31834629787.4396910340967) 

14: (2,3,7,43,1807,3264187,14298637519,152316021000302785506427) 

15: (2,3,7,43,1807,3316627,203509259,109643149191047) 

16: (2,3,7,43,1807,3586039,36800447,2550097247) 

17: (2,3,7,43,1811,655519,389313431,1507818475) 

18: (2,3,7,43,1811,713899,7813583,2409102303622951) 

19: (2,3,7,43,1811,793595,3722287,233296531681207) 

20: (2,3,7,43,1817,298637,279594269,3859101523354821017) 

21: (2,3,7,43,1819,252731,2134319143,6047845668256680791) 

22: (2,3,7,43,1823,193667,637617223447,406555723635623909338363) 

23: (2,3,7,43,1823,193667,637617223459,31273517203328870463055) 

24: (2,3,7,43,1823,193675,4683210919,754794584867) 

25: (2,3,7,43,1831,132347,231679879,1197240789041771) 

26: (2,3,7,43,1891,40379,9444811,55866875) 

27: (2,3,7,43,1943,25615,456729463,450222796871) 

28: (2,3,7,43,1951,30571,118463,14484098803019) 

29: (2,3,7,43,2105,12773,2775277,168100338289) 

30: (2,3,7,43,2137,16921,37501,49708999789) 

31: (2,3,7,43,2755,5407,172771,357538828973647) 

32: (2,3,7,43,2813,5045,692705317,188433744928309) 
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33 : ( 2 , 3 , 7 . 43 , 3263 , 4051 , 2558951 , 61088439723561979 ) 

34 : ( 2 , 3 , 7 . 43 , 3559 , 3667 , 33816127 , 797040720326433787 ) 

35 : ( 2 , 3 , 7 , 47 , 395 . 779731 , 607979652631 , 369639258012703445569531 ) 

36 : ( 2 , 3 , 7 , 47 , 395 . 779731 , 607979652647 , 21743485766025360000683 ) 

37 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607979652683 , 6974325623477705424647 ) 

38 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607979653531 , 410254449012081168631 ) 

39 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607979655287 , 139119028839856004123 ) 

40 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607979697799 , 8183472856913555659 ) 

41 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607979793451 , 2624887933109395111 ) 

42 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607982046587 , 154405744751990423 ) 

43 : ( 2 , 3 , 7 , 47 , 395 , 779743 , 46768385339 , 1672627310178141725483 ) 

44 : ( 2 , 3 , 7 , 47 , 395 , 779747 , 35764242947 , 12154487527525118239 ) 

45 : ( 2 , 3 , 7 , 47 , 395 , 779827 , 6286857907 , 2158880732959 ) 

46 : ( 2 , 3 , 7 , 47 , 395 , 779831 , 6020372531 , 3660733426607933569531 ) 

47 : ( 2 , 3 , 7 , 47 , 395 , 781727 , 305967719 , 125881309327 ) 

48 : ( 2 , 3 , 7 . 47 , 395 , 782111 , 257276179 , 57278664659 ) 

49 : ( 2 , 3 , 7 , 47 , 395 , 782287 , 277442411 , 1701723083 ) 

50 : ( 2 , 3 , 7 , 47 , 395 , 782611 , 211810259 , 1592773460578079 ) 

51 : ( 2 , 3 , 7 , 47 , 395 , 816247 , 17428931 , 652510750371360683 ) 

52 : ( 2 , 3 , 7 , 47 , 395 , 1108727 , 2627707 , 140495574531059 ) 

53 : ( 2 , 3 , 7 , 47 , 403 , 19403 , 15435513367 , 238255072887400163323 ) 

54 : ( 2 , 3 , 7 , 47 , 403 , 19403 , 15435513395 , 8215692183434294399 ) 

55 : ( 2 , 3 , 7 , 47 , 403 , 19403 , 15435513463 , 2456237880094942747 ) 

56 : ( 2 , 3 , 7 , 47 , 403 , 19403 , 15435516179 , 84697872837562655 ) 

57 : ( 2 , 3 , 7 , 47 , 415 , 8111 , 6644612311 , 44150872756848148411 ) 

58 : ( 2 , 3 , 7 , 47 , 415 . 8111 , 6644612339 , 1522443894582665279 ) 

59 : ( 2 , 3 , 7 , 47 , 415 . 8111 , 6644613463 , 38292177286592827 ) 

60 : ( 2 , 3 , 7 , 47 , 415 . 8111 , 6644645747 , 1320426321921983 ) 

61 : ( 2 , 3 , 7 , 47 , 449 , 4477 , 12137 , 34035763385 ) 

62 : ( 2 , 3 , 7 , 47 , 583 , 1223 , 1407479767 , 1980999293106894523 ) 

63 : ( 2 , 3 , 7 , 47 , 583 , 1223 , 1407479807 , 48317057302587443 ) 

64 : ( 2 , 3 , 7 , 47 , 583 , 1223 , 1468268915 , 33995520959 ) 

65 : ( 2 , 3 , 7 , 47 , 583 , 1223 , 2202310039 , 3899834875 ) 

66 : ( 2 , 3 , 7 , 53 , 209 , 10589 , 19651 , 86321 ) 

67 : ( 2 , 3 , 7 , 53 , 269 , 817 , 7301713 , 48932949591475 ) 

68 : ( 2 , 3 , 7 , 53 , 401 , 409 , 351691 , 397617853 ) 

69 : ( 2 , 3 , 7 , 55 , 179 , 24323 , 10057317271 , 101149630679497570171 ) 

70 : ( 2 , 3 , 7 , 55 , 179 , 24323 , 10057317287 , 5949978284730273323 ) 

71 : ( 2 , 3 , 7 , 55 , 179 , 24323 , 10057317311 , 2467064172726591731 ) 

72 : ( 2 , 3 , 7 , 55 , 179 , 24323 , 10057317467 , 513449911932648503 ) 

73 : ( 2 , 3 , 7 , 55 , 179 , 24323 , 10057317967 , 145121431390804003 ) 

74 : ( 2 , 3 , 7 , 55 , 179 , 24323 , 10057320619 , 30202945461748519 ) 

75 : ( 2 , 3 , 7 , 55 , 179 , 24323 , 10057325347 , 12523178395739983 ) 

76 : ( 2 , 3 , 7 . 55 , 179 , 24323 , 10057454579 , 736667018400959 ) 

77 : ( 2 , 3 , 7 , 61 , 187 , 485 , 150809 , 971259409 ) 

78 : ( 2 , 3 , 7 , 61 , 293 , 457 , 551 , 21709309 ) 

79 : ( 2 , 3 , 7 , 65 , 121 , 6271 , 1579937 , 2869621 ) 

80 : ( 2 , 3 , 7 , 67 , 113 , 28925 , 48220169 , 4074021053 ) 

81 : ( 2 , 3 , 7 , 67 , 113 , 29153 , 3712777 , 45401353 ) 
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82 : ( 2 , 3 , 7 , 67 , 113 , 34477 . 178945 , 178344158228021 ) 

83 : ( 2 , 3 , 7 , 67 , 187 , 283 , 334651 , 49836124516795 ) 

84 : ( 2 , 3 , 7 , 71 . 103 , 65059 , 1101031 , 4400294969594807 ) 

85 : ( 2 , 3 , 11 , 17 , 79 , 301 , 1049 , 3696653 ) 

86 : ( 2 , 3 , 11 , 17 , 97 , 151 , 444161 , 317361415625 ) 

87 : ( 2 , 3 , 11 , 17 , 101 , 149 , 3109 , 52495396603 ) 

88 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2214502423 , 4904020979258368507 ) 

89 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2214502427 , 980804197623275639 ) 

90 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2214502475 , 92528699894575367 ) 

91 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2214502687 , 18505741750517011 ) 

92 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2214502831 , 11990273552017987 ) 

93 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2214504467 , 2398056482005535 ) 

94 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2214524099 , 226233749172527 ) 

95 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2214610807 , 45248521436443 ) 

96 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2215070383 , 8636647107907 ) 

97 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2217342227 , 1729101023519 ) 

98 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2244604355 , 165128325167 ) 

99 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2294166883 , 63772955407 ) 

100 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2365012087 , 34797266971 ) 

101 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2446798471 , 23325584587 ) 

102 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2612824727 , 14526193019 ) 

103 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 3375982667 , 6436718855 ) 

104 : ( 2 , 3 , 11 , 23 , 31 , 47063 , 442938131 , 980970939025927675 ) 

105 : ( 2 , 3 , 11 , 23 , 31 , 47063 , 447473399 , 43702604167 ) 

106 : ( 2 , 3 , 11 , 23 , 31 , 47095 , 59897203 , 132743972247361531 ) 

107 : ( 2 , 3 , 11 , 23 , 31 , 47119 , 36349891 . 4619150372467 ) 

108 : ( 2 , 3 , 11 , 23 , 31 , 47131 , 30382063 , 67384091875543675 ) 

109 : ( 2 , 3 , 11 , 23 , 31 , 47147 , 24928579 , 11061526082145911 ) 

110 : ( 2 , 3 , 11 , 23 , 31 , 47243 , 12017087 , 26715920281613179 ) 

111 : ( 2 , 3 , 11 , 23 , 31 , 47423 , 6114059 , 13644326865136507 ) 

112 : ( 2 , 3 , 11 , 23 , 31 , 47479 , 5307047 , 2371471764522551 ) 

113 : ( 2 , 3 , 11 , 23 , 31 , 47491 , 5161279 , 4952592862147 ) 

114 : ( 2 , 3 , 11 , 23 , 31 , 49759 , 866923 , 2029951372029307 ) 

115 : ( 2 , 3 , 11 , 23 , 31 , 60563 , 211031 , 601432790177275 ) 

116 : ( 2 , 3 , 11 , 23 , 31 , 74963 , 126415 , 259118345891 ) 

117 : ( 2 , 3 , 11 , 23 , 31 , 84527 , 106159 , 84453127154999 ) 

118 : ( 2 , 3 , 11 , 25 , 29 , 787 , 264841 , 2542873 ) 

119 : ( 2 , 3 , 11 , 25 , 29 , 1097 , 2753 , 144508961851 ) 

120 : ( 2 , 3 , 11 , 31 , 35 , 67 , 369067 , 1770735487291 ) 

121 : ( 2 , 3 , 13 , 25 , 29 , 67 , 2981 , 11294561851 ) 

122 : ( 2 , 5 , 7 , 11 , 17 , 157 . 961 , 4398619 ) 
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Appendix B: All solutions of V — 

1 <i<N 


N <7 


n 

l<i<N 


Xi 


1 : ( 2 , 3 , 5 ) 

2 : ( 2 , 3 , 11 , 13 ) 

3 : ( 2 , 3 , 7 , 41 ) 

4 : ( 2 , 3 , 11 , 17 , 59 ) 

5 : ( 2 , 3 , 7 , 83 , 85 ) 

6 : ( 2 , 3 , 7 , 43 , 1805 ) 

7 : ( 2 , 3 , 11 , 23 , 31 , 47057 ) 

8 : ( 2 , 3 , 7 , 71 , 103 , 61429 ) 

9 : ( 2 , 3 , 7 , 53 , 271 , 799 ) 

10 : ( 2 , 3 , 7 , 47 , 481 , 2203 ) 

11 : ( 2 , 3 , 7 , 47 , 395 , 779729 ) 

12 : ( 2 , 3 , 7 , 43 , 3611 , 3613 ) 

13 : ( 2 , 3 , 7 , 43 , 3041 , 4447 ) 

14 : ( 2 , 3 , 7 , 43 , 2501 , 6499 ) 

15 : ( 2 , 3 , 7 , 43 , 2167 , 10841 ) 

16 : ( 2 , 3 , 7 , 43 , 2053 , 15011 ) 

17 : ( 2 , 3 , 7 , 43 , 1945 , 25271 ) 

18 : ( 2 , 3 , 7 , 43 , 1901 , 36139 ) 

19 : ( 2 , 3 , 7 , 43 , 1871 , 51985 ) 

20 : ( 2 , 3 , 7 , 43 , 1825 , 173471 ) 

21 : ( 2 , 3 , 7 , 43 , 1819 , 252701 ) 

22 : ( 2 , 3 , 7 , 43 , 1811 , 654133 ) 

23 : ( 2 , 3 , 7 , 43 , 1807 , 3263441 ) 

24 : ( 2 , 3 , 11 , 23 , 31 , 94115 , 94117 ) 

25 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2214502421 ) 

26 : ( 2 , 3 , 7 , 71 , 103 , 67213 , 713863 ) 

27 : ( 2 , 3 , 7 , 71 , 103 , 62857 , 2704339 ) 

28 : ( 2 , 3 , 7 , 71 , 103 , 61955 , 7238201 ) 

29 : ( 2 , 3 , 7 , 71 , 103 , 61559 , 29133437 ) 

30 : ( 2 , 3 , 7 , 71 , 103 , 61477 , 79005919 ) 

31 : ( 2 , 3 , 7 , 71 , 103 , 61441 , 319853515 ) 

32 : ( 2 , 3 , 7 , 59 , 163 , 1381 , 775807 ) 

33 : ( 2 , 3 , 7 , 55 , 179 , 24323 , 10057317269 ) 

34 : ( 2 , 3 , 7 , 47 , 583 , 1223 , 1407479765 ) 

35 : ( 2 , 3 , 7 , 47 , 449 , 3299 , 379591 ) 

36 : ( 2 , 3 , 7 , 47 , 415 , 8111 , 6644612309 ) 

37 : ( 2 , 3 , 7 , 47 , 403 , 19403 , 15435513365 ) 

38 : ( 2 , 3 , 7 , 47 , 401 , 25535 , 1837531099 ) 

39 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607979652629 ) 

40 : ( 2 , 3 , 7 , 47 , 395 , 788491 , 70175789 ) 

41 : ( 2 , 3 , 7 , 47 , 395 , 779819 , 6832003021 ) 

42 : ( 2 , 3 , 7 , 47 , 395 , 1559459 , 1559461 ) 

43 : ( 2 , 3 , 7 , 43 , 3307 , 3979 , 642279641 ) 

44 : ( 2 , 3 , 7 , 43 , 2533 , 7807 , 32435 ) 


= 1 for 
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45 : ( 2 , 3 , 7 , 43 , 2159 , 11047 , 98567401 ) 

46 : ( 2 , 3 , 7 , 43 , 1907 , 43115 , 163073 ) 

47 : ( 2 , 3 , 7 , 43 , 1907 , 34165 , 17766223 ) 

48 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 637617223445 ) 

49 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650056950805 ) 

50 : ( 2 , 3 , 7 , 43 , 1807 , 6526883 , 6526885 ) 
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Appendix C: All 550 solutions of V — 

l<i<8 * 


n 

1<*<8 


Xi 


= 1 


1 : ( 2 , 3 , 7 . 43 , 1807 , 3263443 , 10650056950807 , 113423713055421844361000441 ) 

2 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650056950811 , 22684742611092888917760733 ) 

3 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650056950847 , 2766432025752386503391041 ) 

4 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650056950895 , 1274423742206281453625521 ) 

5 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650056951011 , 553286405158997346238853 ) 

6 : ( 2 , 3 , 7 . 43 , 1807 , 3263443 , 10650056951251 , 254884748449776336285749 ) 

7 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650056951353 , 207355965377032496263511 ) 

8 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650056951413 , 186859494335874429774611 ) 

9 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650056951839 , 109800303065259151146401 ) 

10 : ( 2 , 3 , 7 . 43 , 1807 , 3263443 , 10650056953541 , 41471193083926544813347 ) 

11 : ( 2 , 3 , 7 . 43 , 1807 , 3263443 , 10650056953841 , 37371898875694931515567 ) 

12 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650056954455 , 31083505917860578820921 ) 

13 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650056955925 , 22157396583303152145971 ) 

14 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650056955971 , 21960060621571875789925 ) 

15 : ( 2 , 3 , 7 . 43 , 1807 , 3263443 , 10650056969051 , 6216701192092161324829 ) 

16 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650056973233 , 5057462580561823763311 ) 

17 : ( 2 , 3 , 7 . 43 , 1807 , 3263443 , 10650056975693 , 4557548652728700190411 ) 

18 : ( 2 , 3 , 7 . 43 , 1807 , 3263443 , 10650056976401 , 4431479325180675989839 ) 

19 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650056981857 , 3652819986026411796191 ) 

20 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650056993159 , 2678056182713693394601 ) 

21 : ( 2 , 3 , 7 . 43 , 1807 , 3263443 , 10650056999489 , 2329842318137500089151 ) 

22 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650057004829 , 2099544890708757769051 ) 

23 : ( 2 , 3 , 7 . 43 , 1807 , 3263443 , 10650057042743 , 1233711280926563627161 ) 

24 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650057062941 , 1011492524632410313307 ) 

25 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650057064837 , 994674380386454897891 ) 

26 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650057075241 , 911509739065785598727 ) 

27 : ( 2 , 3 , 7 . 43 , 1807 , 3263443 , 10650057106061 , 730564005725327919883 ) 

28 : ( 2 , 3 , 7 . 43 , 1807 , 3263443 , 10650057160685 , 540424317300132443371 ) 

29 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650057162571 , 535611245062784239565 ) 

30 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650057194221 , 465968472147545578475 ) 

31 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650057220921 , 419908986661797114455 ) 

32 : ( 2 , 3 , 7 . 43 , 1807 , 3263443 , 10650057282835 , 341607861336024725621 ) 

33 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650057406397 , 248959522702338919291 ) 

34 : ( 2 , 3 , 7 . 43 , 1807 , 3263443 , 10650057410491 , 246742264705358286077 ) 

35 : ( 2 , 3 , 7 . 43 , 1807 , 3263443 , 10650057515857 , 200731826106380706191 ) 

36 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650057520961 , 198934884597336540223 ) 

37 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650057577837 , 180890131003613942891 ) 

38 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650058000201 , 108084871980072049319 ) 

39 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650058223897 , 89093180781187556791 ) 

40 : ( 2 , 3 , 7 . 43 , 1807 , 3263443 , 10650058610951 , 68321580787250505769 ) 

41 : ( 2 , 3 , 7 . 43 , 1807 , 3263443 , 10650058946809 , 56825432783897027351 ) 

42 : ( 2 , 3 , 7 . 43 , 1807 , 3263443 , 10650059165749 , 51208422358805751251 ) 

43 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650059228761 , 49791913060513344503 ) 

44 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650059714345 , 41042931721701387271 ) 

45 : ( 2 , 3 , 7 . 43 , 1807 , 3263443 , 10650059750899 , 40507134183243596501 ) 
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46 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650059776061 . 40146373741321701883 ) 

47 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650060058039 , 36503135151956613401 ) 

48 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650060085961 , 36178034720768349223 ) 

49 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650060720223 . 30090529437288820961 ) 

50 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650061626077 , 24260361131432510491 ) 

51 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650062238733 , 21449571707804380811 ) 

52 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650063316261 , 17818644676283072003 ) 

53 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650066930821 , 11365095076824966115 ) 

54 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650067099565 , 11176127163949062571 ) 

55 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650068025521 . 10241692991806710895 ) 
56 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650070563995 , 8331909447275677021 ) 

57 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650070768501 , 8208594864385838099 ) 

58 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650070951271 , 8101435356694279945 ) 

59 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650072486971 , 7300635550436883325 ) 

60 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650073935703 , 6677926509977160761 ) 

61 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650075630037 . 6072193870844315891 ) 
62 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650075797891 , 6018114407503324837 ) 

63 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650075798763 , 6017835980166266861 ) 

64 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650080117897 , 4895908588016066791 ) 

65 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650080327161 . 4852080746332062743 ) 
66 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650082659077 , 4411964805021755491 ) 
67 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650083390441 , 4289922861606436807 ) 

68 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650086501387 , 3838301107202656141 ) 

69 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650089026489 , 3536138409375784151 ) 

70 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650107240345 , 2255424306869577271 ) 

71 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650107694601 , 2235233952835373159 ) 

72 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650112756565 , 2032483912456467571 ) 

73 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650119325763 , 1818428145004661861 ) 

74 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650125016751 , 1666390409500696049 ) 

75 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650126167623 , 1638683417332729961 ) 

76 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650141875291 , 1335593822040992797 ) 

77 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650150346961 , 1214447294214423823 ) 

78 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650151190591 , 1203575716078814017 ) 

79 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650170255905 , 1001057505462912671 ) 

80 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650171754619 . 987989272817600701 ) 

81 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650172786261 , 979190237648774003 ) 

82 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650174744829 , 962909362289669051 ) 

83 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650184347359 . 890330759859381601 ) 

84 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650185492161 . 882401481049911743 ) 

85 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650204703711 , 767668741486091873 ) 
86 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650215900875 , 713591422742310221 ) 

87 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650217329221 . 707236201920717475 ) 

88 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650273755813 , 523170675855668611 ) 

89 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650306159083 . 455146869530958061 ) 

90 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650308398501 . 451093381419476099 ) 

91 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650333494543 , 410158116370430161 ) 

92 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650335979601 . 406505302536854159 ) 

93 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650368825591 , 363694149046493017 ) 

94 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650399936763 , 330705568436396861 ) 
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95 : ( 2 , 3 , 7 . 43 , 1807 , 3263443 , 10650403034891 , 327745203512106637 ) 

96 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650473049925 , 272598857712855971 ) 

97 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650527576309 , 241016954076584851 ) 
98 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650623476301 , 200220021138143179 ) 

99 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650630969871 , 197606374609080785 ) 

100 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650640675495 , 194320939124424521 ) 

101 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650645920921 , 192590392503494455 ) 

102 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650693933571 , 178074672017436965 ) 

103 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650753331583 , 162886646640370561 ) 
104 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650829717043 , 146786877620592661 ) 
105 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10650851701151 , 142726804594022689 ) 

106 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10651140975841 , 104642655216694367 ) 

107 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10651268524627 , 93627490475138741 ) 

108 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10651302992191 , 91037893951752257 ) 

109 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10651372053809 , 86257668576922351 ) 
110 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10651439669491 , 82040143319646677 ) 

111 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10651568606639 , 75043412527964401 ) 

112 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10651734418979 , 67626665001999301 ) 

113 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10651756607257 , 66743967245067191 ) 

114 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10651771880591 , 66149633732840017 ) 

115 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10652118821905 , 55020739247502671 ) 

116 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10652137446401 , 54528291588131839 ) 

117 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10652344986925 , 49583168652060971 ) 

118 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10652410078321 , 48211910860877615 ) 

119 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10652614324043 , 44362296275187661 ) 

120 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10652894840303 , 39978278527091761 ) 

121 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10652911686593 , 39742422633566911 ) 

122 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10652949446875 , 39223741570200221 ) 

123 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10652975574251 , 38872707870445549 ) 

124 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10653266722495 , 35347653446979521 ) 

125 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10653538854691 , 32585849373634757 ) 

126 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10653597727387 , 32044219659746141 ) 

127 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10653920781991 , 29365895569679177 ) 

128 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10654886505749 , 23495984501651251 ) 

129 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10655608321979 , 20442307303554301 ) 

130 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10656114819911 , 18734018140588393 ) 

131 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10656217247519 , 18422703621847201 ) 

132 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10656573903635 , 17415059146837621 ) 

133 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10656632465821 , 17260053760945115 ) 

134 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10657615229971 , 15017202551153525 ) 

135 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10658444291671 , 13533853045960505 ) 

136 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10658555233061 , 13357313494574083 ) 

137 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10660274490163 , 11111533458755861 ) 

138 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10660366306301 , 11012667895061179 ) 

139 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10660366783285 , 11012158887132371 ) 

140 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10660540618853 , 10829736711251011 ) 

141 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10661395244023 , 10014246796303961 ) 

142 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10661497131401 , 9925153775972839 ) 

143 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10662843816991 , 8880979300598177 ) 
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144 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10664119375043 , 8076379773522661 ) 

145 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10664203506947 . 8028411547797541 ) 

146 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10664246398291 . 8004175750978997 ) 

147 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10664330629741 , 7957004572274027 ) 

148 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10664519431151 , 7853268359600689 ) 
149 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10666105809251 , 7078050734956549 ) 

150 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10667602349407 , 6475234626089441 ) 

151 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10667760833711 . 6417363977509873 ) 

152 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10669352596429 , 5888852594015051 ) 
153 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10669526890387 , 5836231209041141 ) 

154 : ( 2 , 3 , 7 , 43 , 1807 . 3263443 , 10673989663055 , 4749925400059921 ) 
155 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10674204725521 , 4707716945890895 ) 
156 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10677813806671 , 4096981506271505 ) 

157 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10680582700979 , 3726323297169301 ) 
158 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10680858434371 , 3693060769930085 ) 

159 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10682641714951 , 3491531874928169 ) 

160 : ( 2 , 3 , 7 , 43 , 1807 . 3263443 , 10687918549705 , 3006395518149671 ) 
161 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10701144647591 , 2230826737311817 ) 

162 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10701606113201 , 2210951822987119 ) 

163 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10702008448127 , 2193911731866241 ) 

164 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10702475291041 , 2174467387810847 ) 

165 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10706748416891 , 2011369404821437 ) 

166 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10712034839959 , 1840717434292601 ) 
167 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10714490281387 , 1770976770356141 ) 

168 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10718833145899 , 1659821153171501 ) 

169 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10719742865297 , 1638291939587791 ) 

170 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10720369071991 , 1623796000265177 ) 

171 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10720789731511 , 1614202355120153 ) 
172 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10721557922767 , 1596974129821841 ) 

173 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10737002638549 , 1315185290379251 ) 

174 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10737783943811 , 1303566970778533 ) 

175 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10746535178921 , 1186290564363655 ) 

176 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10746539642689 , 1186236173401151 ) 

177 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10747406648711 , 1175766287368873 ) 

178 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10767101118073 , 979717680770711 ) 

179 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10768649289635 . 967066923127621 ) 

180 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10769720512051 , 958505125572629 ) 
181 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10781657590055 , 872528188414921 ) 

182 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10795228790627 . 791956632628741 ) 

183 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10801326374945 . 760462609626271 ) 
184 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10802685701671 , 753784704994505 ) 

185 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10814252372083 , 701434928863061 ) 

186 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10839364945301 , 609799149190579 ) 

187 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10877663168899 . 508983160526501 ) 
188 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10902629116039 , 459724534143401 ) 
189 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10907489100947 , 451246590807541 ) 

190 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10909814437411 , 447302391933893 ) 

191 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10935726631127 , 407695038861241 ) 

192 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10959946396571 , 376663532419165 ) 
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193 : ( 2 , 3 , 7 . 43 , 1807 , 3263443 , 10965186066515 , 370577805296821 ) 
194 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10969354355689 , 365879104606151 ) 
195 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10972223603711 , 362715399631873 ) 

196 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10993937926271 , 340484276194945 ) 

197 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 10998486523261 , 336178433478203 ) 

198 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 11004377837029 , 330765854426051 ) 

199 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 11007561810611 , 327914871525013 ) 

200 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 11072760082445 , 278979540613771 ) 

201 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 11079887340733 , 274530219250811 ) 

202 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 11084785389521 , 271557103636495 ) 
203 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 11132470410221 , 245767280240875 ) 

204 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 11230065752587 , 206205215264141 ) 

205 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 11235277787141 , 204463581714787 ) 

206 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 11243018644951 , 201933430186169 ) 

207 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 11253044554543 , 198752950530161 ) 

208 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 11308060147051 , 183025683243629 ) 

209 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 11369418293447 , 168322851320041 ) 
210 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 11375916149911 , 166911372086393 ) 

211 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 11406404071501 , 160612567485899 ) 

212 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 11448324473627 , 152737402123741 ) 

213 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 11471034057191 , 148807031333257 ) 

214 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 11567632041437 , 134262515716891 ) 

215 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 11788088041271 , 110316677665945 ) 

216 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 11901612707899 , 101276233541501 ) 

217 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 11912917776971 , 100464952389325 ) 

218 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 11937217701511 , 98769363722153 ) 

219 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 12078405352411 , 90059053332893 ) 

220 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 12202382505665 , 83717019419071 ) 

221 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 12211597426295 , 83285838626521 ) 

222 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 12225702529351 , 82635606620009 ) 

223 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 12246543975221 , 81695866481875 ) 

224 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 12382881573515 , 76106024951821 ) 

225 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 12405802064689 , 75251525671151 ) 

226 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 12421661381921 , 74673216445855 ) 

227 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 12586861740613 , 69212341416611 ) 

228 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 12763572609001 , 64315953683399 ) 

229 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 12780068340967 , 63900341704841 ) 

230 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 12799208900441 , 63426089410807 ) 

231 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 12799308335473 , 63423647729711 ) 

232 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 13291823504627 , 53584854838741 ) 

233 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 13550100959711 , 49761088613473 ) 

234 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 13581596801207 , 49340887996441 ) 

235 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 13664994969491 , 48270635666677 ) 

236 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 14019739252817 , 44310118312591 ) 

237 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 14214830148269 , 42467989473451 ) 

238 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 14246863664011 , 42184615824653 ) 

239 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 14307679158979 , 41660288899301 ) 

240 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 14605847318009 , 39322889059351 ) 

241 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 14641394564911 , 39067525985393 ) 
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242 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 15237932403961 , 35372548704023 ) 

243 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 16384623372515 , 30429008786821 ) 

244 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 16852103340505 , 28938167991671 ) 

245 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 16907835736271 , 28775292268945 ) 

246 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 17013643455335 , 28473922938121 ) 

247 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 17382069223163 , 27498468460861 ) 

248 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 18388223159933 , 25307756202811 ) 

249 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 18411684725101 , 25263449444459 ) 

250 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 18457759328251 , 25177213285949 ) 

251 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 19237016528393 , 23858889719911 ) 

252 : ( 2 , 3 , 7 , 43 , 1807 . 3263443 , 19314180064351 , 23741250551009 ) 

253 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 19428782520221 , 23570350694875 ) 

254 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 20334080899841 , 22362513843967 ) 

255 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 21204775106587 , 21396313874141 ) 

256 : ( 2 , 3 , 7 , 43 , 1807 , 3263443 , 21300113901611 , 21300113901613 ) 

257 : ( 2 , 3 , 7 , 43 , 1807 , 3263447 , 2130014000915 , 22684798220467498090185209 ) 

258 : ( 2 , 3 , 7 , 43 , 1807 , 3263453 , 968189962295 , 542700517576754375213351 ) 

259 : ( 2 , 3 , 7 , 43 , 1807 , 3263453 , 968189962447 , 6097758625415225751631 ) 

260 : ( 2 , 3 , 7 , 43 , 1807 , 3263453 , 968191675715 , 547088581335563051 ) 

261 : ( 2 , 3 , 7 , 43 , 1807 , 3263453 , 968342456827 , 6148020023058931 ) 

262 : ( 2 , 3 , 7 , 43 , 1807 , 3263467 , 426011650123 , 29087649458734661 ) 

263 : ( 2 , 3 , 7 , 43 , 1807 , 3263467 , 431493708101 , 33492839204683 ) 

264 : ( 2 , 3 , 7 , 43 , 1807 , 3263467 , 440049819613 , 13347917207171 ) 

265 : ( 2 , 3 , 7 , 43 , 1807 , 3263467 , 440695252693 , 12780162328091 ) 

266 : ( 2 , 3 , 7 , 43 , 1807 , 3263483 , 259760670451 , 553299968487595040585437 ) 

267 : ( 2 , 3 , 7 , 43 , 1807 , 3263483 , 259760739379 , 978927350808388381 ) 

268 : ( 2 , 3 , 7 , 43 , 1807 , 3263483 , 259767485441 , 9901316798999735 ) 

269 : ( 2 , 3 , 7 , 43 , 1807 , 3263497 , 193640603263 , 738917082487556510171 ) 

270 : ( 2 , 3 , 7 , 43 , 1807 , 3263573 , 81301383575 , 17297566015272971711 ) 

271 : ( 2 , 3 , 7 , 43 , 1807 , 3263573 , 82889098211 , 4244463432803 ) 

272 : ( 2 , 3 , 7 , 43 , 1807 , 3263591 , 71480133827 , 761302020256877140089593 ) 

273 : ( 2 , 3 , 7 , 43 , 1807 , 3263671 , 46510048103 . 99073853514040014508189 ) 

274 : ( 2 , 3 , 7 , 43 , 1807 , 3263683 , 44194462691 , 18581823597527605 ) 

275 : ( 2 , 3 , 7 , 43 , 1807 , 3263773 , 33375205823 , 897552055711 ) 

276 : ( 2 , 3 , 7 , 43 , 1807 , 3263843 , 26562000961 , 4898649404931690223 ) 

277 : ( 2 , 3 , 7 , 43 , 1807 , 3263945 , 21176332403 , 11871780956994661586951 ) 

278 : ( 2 , 3 , 7 , 43 , 1807 , 3264011 , 20287332797 , 242376931523 ) 

279 : ( 2 , 3 , 7 , 43 , 1807 , 3264061 , 17208519803 , 1929541286388481114963 ) 

280 : ( 2 , 3 , 7 , 43 , 1807 , 3264167 , 14692992667 . 205671385394733992017 ) 

281 : ( 2 , 3 , 7 , 43 , 1807 , 3264187 , 14298637519 , 152316021000302785506425 ) 

282 : ( 2 , 3 , 7 , 43 , 1807 , 3264199 , 14072032361 , 34190638054365523 ) 

283 : ( 2 , 3 , 7 , 43 , 1807 , 3264461 , 10843167823 , 291848881087 ) 

284 : ( 2 , 3 , 7 , 43 , 1807 , 3264977 , 6941413295 , 11671343143607219 ) 

285 : ( 2 , 3 , 7 , 43 , 1807 , 3266063 , 4066618531 , 47894463455777446945 ) 

286 : ( 2 , 3 , 7 , 43 , 1807 , 3267031 , 2970678791 , 160775038921890887773 ) 

287 : ( 2 , 3 , 7 , 43 , 1807 , 3267301 , 4840020859 , 6438862043 ) 

288 : ( 2 , 3 , 7 , 43 , 1807 , 3268751 , 2009301055 , 404414650631470247053 ) 

289 : ( 2 , 3 , 7 , 43 , 1807 , 3271393 , 1342724351 , 150893967753302743219 ) 

290 : ( 2 , 3 , 7 , 43 , 1807 , 3272831 , 1137575263 , 2430018690045381520285 ) 
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291 : ( 2 , 3 , 7 . 43 , 1807 , 3276181 , 850534063 , 63446582375 ) 

292 : ( 2 , 3 , 7 , 43 , 1807 , 3276281 , 833444231 , 1031685689123 ) 

293 : ( 2 , 3 , 7 , 43 , 1807 , 3276773 , 802157275 , 23893916024601906811 ) 

294 : ( 2 , 3 , 7 , 43 , 1807 , 3288647 , 425800789 , 31785447208059535 ) 

295 : ( 2 , 3 , 7 , 43 , 1807 , 3289787 , 407516761 , 2587292602794911023 ) 

296 : ( 2 , 3 , 7 , 43 , 1807 , 3332107 , 158365099 , 1082703262718405 ) 

297 : ( 2 , 3 , 7 , 43 , 1807 , 3354583 , 120117325 , 10431144828791 ) 

298 : ( 2 , 3 , 7 , 43 , 1807 , 3404603 , 95947769 , 438097871 ) 

299 : ( 2 , 3 , 7 , 43 , 1807 , 3409363 , 84824905 , 754136231 ) 

300 : ( 2 , 3 , 7 , 43 , 1807 , 3419881 , 71341483 , 114256603062479 ) 

301 : ( 2 , 3 , 7 , 43 , 1807 , 3483107 , 55865009 , 701928095 ) 

302 : ( 2 , 3 , 7 , 43 , 1807 , 3558181 , 39397291 , 549162395020523 ) 

303 : ( 2 , 3 , 7 , 43 , 1807 , 3599423 , 34961825 , 561529103817011 ) 

304 : ( 2 , 3 , 7 , 43 , 1807 , 3667523 , 29619721 , 19819217116471 ) 

305 : ( 2 , 3 , 7 , 43 , 1807 , 5778053 , 7498711 , 431098798655023 ) 

306 : ( 2 , 3 , 7 , 43 , 1811 , 654137 , 112603355159 , 2343968949833659663 ) 

307 : ( 2 , 3 , 7 , 43 , 1811 , 654167 , 12660248233 , 1341879276045695 ) 

308 : ( 2 , 3 , 7 , 43 , 1811 , 654167 , 12660392623 , 607509924211097 ) 

309 : ( 2 , 3 , 7 , 43 , 1811 , 654433 , 1427906867 , 4841683965821195 ) 

310 : ( 2 , 3 , 7 , 43 , 1811 , 656011 , 228620033 , 532822850387 ) 

311 : ( 2 , 3 , 7 , 43 , 1811 , 658087 , 108880649 , 2974997080463 ) 

312 : ( 2 , 3 , 7 , 43 , 1811 , 658313 , 104250607 , 8764202183 ) 

313 : ( 2 , 3 , 7 , 43 , 1811 , 676567 , 19738273 , 36468880087 ) 

314 : ( 2 , 3 , 7 , 43 , 1811 , 730717 , 6248239 , 5660284603 ) 

315 : ( 2 , 3 , 7 , 43 , 1811 , 830113 , 3087647 , 4669841615 ) 

316 : ( 2 , 3 , 7 , 43 , 1811 , 1033163 , 1786303 , 976842557 ) 

317 : ( 2 , 3 , 7 , 43 , 1817 , 303479 , 17543063 , 156178151522731 ) 

318 : ( 2 , 3 , 7 , 43 , 1819 , 267097 , 4693135 , 4776988367 ) 

319 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 637617223447 , 406555723635623909338361 ) 

320 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 637617223451 , 81311144727634875646429 ) 

321 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 637617223483 , 10987992531312922415741 ) 

322 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 637617223631 , 2197598506772678261905 ) 

323 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 637617223895 , 905469318310192484281 ) 

324 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 637617225691 , 181093864172132275613 ) 

325 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 637617240059 , 24472144358497635901 ) 

326 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 637617260377 , 11008522574065905911 ) 

327 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 637617306511 , 4894429381793305937 ) 

328 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 637617408101 , 2201705024906959939 ) 

329 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 637618589893 , 297528257521241891 ) 

330 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 637620676465 , 117739846012829231 ) 

331 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 637624055681 , 59506161598027135 ) 

332 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 637633805465 , 24518503845394231 ) 

333 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 637634488541 , 23548479296344603 ) 

334 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 637655604065 , 10593372550315231 ) 

335 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 637700133541 , 4904210862857603 ) 

336 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 637744985149 , 3182778384672251 ) 

337 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 637809126541 , 2119184603841803 ) 

338 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 638230758149 , 663282650417251 ) 

339 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 638256031961 , 637065770713207 ) 
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340 : ( 2 , 3 , 7 , 43 , 1823 . 193667 , 639037306349 . 286927750550251 ) 

341 : ( 2 , 3 , 7 , 43 . 1823 . 193667 , 639167628977 . 262863025676911 ) 

342 : ( 2 , 3 , 7 , 43 , 1823 . 193667 , 640684896961 , 133166623862207 ) 

343 : ( 2 , 3 , 7 , 43 . 1823 . 193667 , 644717637961 , 57895643888807 ) 

344 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 645369251101 , 53082698914139 ) 

345 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 654850121377 , 24229454490911 ) 

346 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 694982228093 , 7724790424891 ) 

347 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 723781713101 , 5355984676939 ) 

348 : ( 2 , 3 , 7 , 43 . 1823 , 193667 , 765140668135 , 3825703340681 ) 

349 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 924442246681 , 2055051863735 ) 

350 : ( 2 , 3 , 7 , 43 , 1823 , 193667 , 1275234446891 , 1275234446893 ) 

351 : ( 2 , 3 , 7 , 43 , 1823 , 193727 , 624696145 , 1249029542707580051 ) 

352 : ( 2 , 3 , 7 , 43 , 1823 , 193747 , 468685325 , 2558779870050491 ) 

353 : ( 2 , 3 , 7 , 43 . 1823 , 195227 , 24235643 , 71694375412021 ) 

354 : ( 2 , 3 , 7 , 43 , 1831 , 138683 , 2861051 , 1456230512169437 ) 

355 : ( 2 , 3 , 7 , 43 , 1831 , 238123 , 297557 , 17623382424931 ) 

356 : ( 2 , 3 , 7 , 43 , 1843 , 89959 , 11976990133 , 34817546746755863675 ) 

357 : ( 2 , 3 , 7 , 43 , 1843 , 89959 , 11976990545 , 344728197469850263 ) 

358 : ( 2 , 3 , 7 , 43 , 1853 , 71203 , 10360092227 , 36845145540307875671 ) 

359 : ( 2 , 3 , 7 , 43 , 1853 , 71203 , 10382523559 , 4795251910195 ) 

360 : ( 2 , 3 , 7 , 43 , 1867 , 55277 , 1961928211 , 4520530841303023 ) 

361 : ( 2 , 3 , 7 , 43 , 1873 , 50639 , 16834739 , 45310242714479 ) 

362 : ( 2 , 3 , 7 , 43 , 1873 , 51911 , 2163883 , 12322207 ) 

363 : ( 2 , 3 , 7 , 43 , 1913 , 32311 , 46532123 , 273389846882848007 ) 

364 : ( 2 , 3 , 7 , 43 , 1919 , 30671 , 975201683 , 1494685587100417 ) 

365 : ( 2 , 3 , 7 , 43 , 1997 , 18883 , 959198423 , 514365153707602931 ) 

366 : ( 2 , 3 , 7 , 43 , 1997 , 18883 , 959225723 , 33700641672431 ) 

367 : ( 2 , 3 , 7 , 43 , 2003 , 18371 , 39817607 , 529220481881695069 ) 

368 : ( 2 , 3 , 7 , 43 , 2033 , 32287 , 32411 , 4601387132471 ) 

369 : ( 2 , 3 , 7 , 43 , 2075 , 13939 , 24410963 , 45271367153 ) 

370 : ( 2 , 3 , 7 , 43 . 2087 , 13739 , 565721 , 67188075943 ) 

371 : ( 2 , 3 , 7 , 43 , 2147 , 11371 , 1520374063 , 13406916288849768157 ) 

372 : ( 2 , 3 , 7 , 43 , 2161 , 21803 , 22175 , 19209741287 ) 

373 : ( 2 , 3 , 7 , 43 , 2225 , 9599 , 10677439 , 2083854611 ) 

374 : ( 2 , 3 , 7 , 43 , 2243 , 12491 , 35995 , 25573817 ) 

375 : ( 2 , 3 , 7 , 43 , 2441 , 6943 , 129692807 , 248849507 ) 

376 : ( 2 , 3 , 7 , 43 , 2593 , 5951 , 58180667 , 6322831502951 ) 

377 : ( 2 , 3 , 7 , 43 , 3203 , 4141 , 66724871 , 12730559229347 ) 

378 : ( 2 , 3 , 7 , 43 , 3263 , 4045 , 40608343 , 727261435685959 ) 

379 : ( 2 , 3 , 7 , 43 , 3263 , 4051 , 2558951 , 61088439723561977 ) 

380 : ( 2 , 3 , 7 , 43 , 3307 , 3979 . 642937961 , 627272420323 ) 

381 : ( 2 , 3 , 7 , 43 , 3307 , 3979 , 740369317 , 4847851055 ) 

382 : ( 2 , 3 , 7 , 43 , 3407 , 5123 , 15385 , 25524552402311 ) 

383 : ( 2 , 3 , 7 , 43 , 3559 , 3667 , 33816127 , 797040720326433785 ) 

384 : ( 2 , 3 , 7 , 43 , 3719 , 5347 , 10225 , 10069719847 ) 

385 : ( 2 , 3 , 7 , 43 , 3791 , 4177 , 34063 , 47251 ) 

386 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607979652631 , 369639258012703445569529 ) 

387 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607979652643 , 28433789078461477030853 ) 

388 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607979652661 , 11923847033256220488659 ) 
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389 : ( 2 , 3 , 7 . 47 , 395 , 779731 , 607979652701 , 5206186733172704524699 ) 

390 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607979653033 , 917219003119382793863 ) 

391 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607979653553 , 400475903112958488943 ) 

392 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607979654831 , 167941508110067551729 ) 

393 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607979658569 , 62239309921348143271 ) 

394 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607979681243 , 12918578108140260253 ) 

395 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607979699141 , 7947351944482747939 ) 

396 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607979729837 , 4787639785931074987 ) 

397 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607979836739 , 2007720263249603941 ) 

398 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607980074299 , 876610598308786301 ) 

399 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607980257273 , 611335326172198423 ) 

400 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607981094471 , 256366780124913769 ) 

401 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607982046047 , 154440581461956577 ) 

402 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607982954911 , 111935133845893409 ) 

403 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607985134327 , 67432145697278297 ) 

404 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607992724369 , 28278349603173071 ) 

405 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 607998396563 , 19721082760057333 ) 

406 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 608022582283 , 8610956123209613 ) 

407 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 608082023341 , 3611399136628139 ) 

408 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 608149585237 , 2175818873769587 ) 

409 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 608255881459 , 1338771195093461 ) 

410 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 609310471873 , 278361145573823 ) 

411 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 611570627407 , 103543611609617 ) 

412 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 616542746329 , 43774534989431 ) 

413 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 627591899489 , 19455348884191 ) 

414 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 654747318217 . 8511715136807 ) 

415 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 719299870717 , 3928483909307 ) 

416 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 862938861797 , 2057777285827 ) 

417 : ( 2 , 3 , 7 , 47 , 395 , 779731 , 1215959305259 , 1215959305261 ) 

418 : ( 2 , 3 , 7 , 47 , 395 , 779747 , 35764242853 , 113844911673252232819 ) 

419 : ( 2 , 3 , 7 , 47 , 395 , 779759 , 21057289541 , 4813266433751 ) 

420 : ( 2 , 3 , 7 , 47 , 395 , 779759 , 38765626621 , 45659592271 ) 

421 : ( 2 , 3 , 7 , 47 , 395 , 779767 , 16432641181 , 12695263971863917607 ) 

422 : ( 2 , 3 , 7 , 47 , 395 , 779767 , 16436722861 , 66173085861047 ) 

423 : ( 2 , 3 , 7 , 47 , 395 , 779771 , 19900801759 , 58194426121 ) 

424 : ( 2 , 3 , 7 , 47 , 395 , 779783 , 14885469661 , 50028641623 ) 

425 : ( 2 , 3 , 7 , 47 , 395 , 779831 , 6020372531 , 3660733426607933569529 ) 

426 : ( 2 , 3 , 7 , 47 , 395 , 779837 , 5682995267 , 189977953601291 ) 

427 : ( 2 , 3 , 7 , 47 , 395 , 779959 , 3643426013 , 9796210087 ) 

428 : ( 2 , 3 , 7 , 47 , 395 , 780007 , 2197019071 , 3521690089637 ) 

429 : ( 2 , 3 , 7 , 47 , 395 , 780071 , 1783709071 , 33505194320147509 ) 

430 : ( 2 , 3 , 7 , 47 , 395 , 780499 , 791389997 , 1140143708160043 ) 

431 : ( 2 , 3 , 7 , 47 , 395 , 780809 , 564244859 , 266091145461825119 ) 

432 : ( 2 , 3 , 7 , 47 , 395 , 784751 , 121867639 , 21195582322021 ) 

433 : ( 2 , 3 , 7 , 47 , 395 , 805453 , 24415343 , 51283314802521631 ) 

434 : ( 2 , 3 , 7 , 47 , 395 , 810307 , 20696909 , 12711787483 ) 

435 : ( 2 , 3 , 7 , 47 , 395 , 841727 , 10617301 , 3627426007 ) 

436 : ( 2 , 3 , 7 , 47 , 395 , 852997 , 12808339 , 31168163 ) 

437 : ( 2 , 3 , 7 , 47 , 395 , 1036747 , 5630039 , 7126513 ) 
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438 : ( 2 , 3 , 7 , 47 , 395 , 1465487 , 1668001 , 1644259747 ) 

439 : ( 2 , 3 , 7 , 47 . 395 , 1506907 , 1615811 , 4344500161018957 ) 

440 : ( 2 , 3 , 7 , 47 , 397 , 71275 , 160970303 , 196784088475439 ) 

441 : ( 2 , 3 , 7 , 47 , 403 , 19403 , 15435513367 , 238255072887400163321 ) 

442 : ( 2 , 3 , 7 , 47 , 403 , 19403 , 15435513371 , 47651014589828443357 ) 

443 : ( 2 , 3 , 7 , 47 , 403 , 19403 , 15435513467 , 2358961132979717821 ) 

444 : ( 2 , 3 , 7 , 47 , 403 , 19403 , 15435513871 , 471792238944354257 ) 

445 : ( 2 , 3 , 7 , 47 , 403 , 19403 , 15466078739 . 7810369763701 ) 

446 : ( 2 , 3 , 7 , 47 , 403 , 19403 , 15588340231 , 1574422363433 ) 

447 : ( 2 , 3 , 7 , 47 , 403 , 19403 , 18522616039 , 92613080201 ) 

448 : ( 2 , 3 , 7 , 47 , 403 , 19403 , 30871026731 , 30871026733 ) 

449 : ( 2 , 3 , 7 , 47 , 403 , 20017 , 632531 , 2486398615943 ) 

450 : ( 2 , 3 , 7 , 47 , 407 , 13171 , 813986039 , 297015603735318229 ) 

451 : ( 2 , 3 , 7 , 47 , 407 , 13171 , 813986779 , 892679069216489 ) 

452 : ( 2 , 3 , 7 , 47 , 407 , 13171 , 813986909 , 759631511994559 ) 

453 : ( 2 , 3 , 7 , 47 , 407 , 13171 , 813988649 , 253643515029019 ) 

454 : ( 2 , 3 , 7 , 47 , 407 , 13171 , 814276249 , 2283878577419 ) 

455 : ( 2 , 3 , 7 , 47 , 407 , 13171 , 814855189 , 763135297079 ) 

456 : ( 2 , 3 , 7 , 47 , 407 , 13171 , 815007419 , 649516546249 ) 

457 : ( 2 , 3 , 7 , 47 , 407 , 13171 , 1153824559 , 2763656909 ) 

458 : ( 2 , 3 , 7 , 47 , 415 , 8111 , 6644612311 , 44150872756848148409 ) 

459 : ( 2 , 3 , 7 , 47 , 415 , 8111 , 6644612561 , 175899898079686159 ) 

460 : ( 2 , 3 , 7 , 47 , 415 , 8111 , 6644612579 , 164129645121205381 ) 

461 : ( 2 , 3 , 7 , 47 , 415 , 8111 , 6644679829 , 653909586750131 ) 

462 : ( 2 , 3 , 7 , 47 , 415 , 8111 , 6644710721 , 448644223238719 ) 

463 : ( 2 , 3 , 7 , 47 , 415 , 8111 , 6669313471 , 1794045323969 ) 

464 : ( 2 , 3 , 7 , 47 , 415 , 8111 , 6671084869 , 1674442302371 ) 

465 : ( 2 , 3 , 7 , 47 , 415 , 8111 , 13289224619 , 13289224621 ) 

466 : ( 2 , 3 , 7 , 47 , 451 , 4219 , 12721 , 809846028175 ) 

467 : ( 2 , 3 , 7 , 47 , 475 , 2339 , 7588853 , 1097355724147 ) 

468 : ( 2 , 3 , 7 , 47 . 475 , 2339 , 10937161 , 24788231 ) 

469 : ( 2 , 3 , 7 , 47 , 583 , 1223 , 1407479767 , 1980999293106894521 ) 

470 : ( 2 , 3 , 7 , 47 , 583 , 1223 , 1407479771 , 396199859747362717 ) 

471 : ( 2 , 3 , 7 , 47 , 583 , 1223 , 1407479795 , 68310321810907861 ) 

472 : ( 2 , 3 , 7 , 47 , 583 , 1223 , 1407479911 , 13662065488165385 ) 

473 : ( 2 , 3 , 7 , 47 , 583 , 1223 , 1407480007 , 8219915480921321 ) 

474 : ( 2 , 3 , 7 , 47 , 583 , 1223 , 1407480971 , 1643984222168077 ) 

475 : ( 2 , 3 , 7 , 47 , 583 , 1223 , 1407486755 , 283446720357061 ) 

476 : ( 2 , 3 , 7 , 47 , 583 , 1223 , 1407514711 , 56690470055225 ) 

477 : ( 2 , 3 , 7 , 47 , 583 , 1223 , 1407520043 , 49185787937581 ) 

478 : ( 2 , 3 , 7 , 47 , 583 , 1223 , 1407681151 , 9838283571329 ) 

479 : ( 2 , 3 , 7 , 47 , 583 , 1223 , 1408647799 , 1697420599001 ) 

480 : ( 2 , 3 , 7 , 47 , 583 , 1223 , 1413319931 , 340610103613 ) 

481 : ( 2 , 3 , 7 , 47 , 583 , 1223 , 1417186523 , 205492045981 ) 

482 : ( 2 , 3 , 7 , 47 , 583 , 1223 , 1456013551 , 42224393009 ) 

483 : ( 2 , 3 , 7 , 47 , 583 , 1223 , 1688975719 , 8444878601 ) 

484 : ( 2 , 3 , 7 , 47 , 583 , 1223 , 2814959531 , 2814959533 ) 

485 : ( 2 , 3 , 7 , 55 , 179 , 24323 , 10057317271 , 101149630679497570169 ) 

486 : ( 2 , 3 , 7 , 55 , 179 , 24323 , 10057317337 , 1509695990198216567 ) 
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487 : ( 2 , 3 , 7 , 55 , 179 , 24323 , 10057317373 , 982035259275183803 ) 

488 : ( 2 , 3 , 7 . 55 , 179 , 24323 , 10057324171 , 14657252582957069 ) 

489 : ( 2 , 3 , 7 . 55 , 179 , 24323 , 10057326451 , 11017288204516949 ) 

490 : ( 2 , 3 , 7 , 55 , 179 , 24323 , 10057932397 , 164447044588907 ) 

491 : ( 2 , 3 , 7 , 55 , 179 , 24323 , 10058262913 , 106973922824063 ) 

492 : ( 2 , 3 , 7 , 55 , 179 , 24323 , 10058412719 , 92346287182321 ) 

493 : ( 2 , 3 , 7 , 55 , 179 , 24323 , 10058774641 , 69415603790639 ) 

494 : ( 2 , 3 , 7 , 55 , 179 , 24323 , 10120675351 , 1606532921849 ) 

495 : ( 2 , 3 , 7 , 55 , 179 , 24323 , 10130712353 , 1388210001823 ) 

496 : ( 2 , 3 , 7 . 55 , 179 , 24323 , 10154961127 , 1045960995977 ) 

497 : ( 2 , 3 , 7 , 55 , 179 , 24323 , 10170148517 , 906525568387 ) 

498 : ( 2 , 3 , 7 , 55 , 179 , 24323 , 10207426483 , 683897574293 ) 

499 : ( 2 , 3 , 7 , 55 , 179 , 24323 , 17617010819 , 23437440421 ) 

500 : ( 2 , 3 , 7 , 55 , 179 , 24323 , 20114634539 , 20114634541 ) 

501 : ( 2 , 3 , 7 . 55 , 197 , 1963 , 23731 , 5851217083 ) 

502 : ( 2 , 3 , 7 . 65 , 121 , 6233 , 108365629 , 3657689751023669 ) 

503 : ( 2 , 3 , 7 , 67 , 113 , 32159 , 285907 , 55656282215 ) 

504 : ( 2 , 3 , 7 , 67 , 115 , 5779 , 64691 , 12184647841 ) 

505 : ( 2 , 3 , 7 , 67 , 187 , 283 , 334651 , 49836124516793 ) 

506 : ( 2 , 3 , 7 , 71 , 103 , 61463 , 111704965 , 86118313000187 ) 

507 : ( 2 , 3 , 7 , 71 , 103 , 61583 , 24596843 , 3122473822388077 ) 

508 : ( 2 , 3 , 7 , 71 , 103 , 61679 , 15167713 , 18655073941247 ) 

509 : ( 2 , 3 , 7 . 71 , 103 , 62453 , 3747683 , 32674646527 ) 

510 : ( 2 , 3 , 7 , 71 , 103 , 65635 , 958667 , 68866718993 ) 

511 : ( 2 , 3 , 7 , 97 , 101 , 313 , 2473 , 63700207645 ) 

512 : ( 2 , 3 , 11 , 17 , 101 , 149 , 3109 , 52495396601 ) 

513 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2214502423 , 4904020979258368505 ) 

514 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2214502429 , 700574427506483291 ) 

515 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2214502441 , 258106369427337479 ) 

516 : ( 2 , 3 , 11 , 23 , 31 . 47059 , 2214502471 , 100082062970499689 ) 

517 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2214502555 , 36872340387764573 ) 

518 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2214503353 , 5267479096397015 ) 

519 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2259696349 , 110725121051 ) 

520 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 2331055181 , 44290048459 ) 

521 : ( 2 , 3 , 11 , 23 , 31 . 47059 , 2530859911 , 17716019369 ) 

522 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 3030371735 , 8225294713 ) 

523 : ( 2 , 3 , 11 , 23 , 31 . 47059 , 3073187035 , 7925587613 ) 

524 : ( 2 , 3 , 11 , 23 , 31 , 47059 , 4429004843 , 4429004845 ) 

525 : ( 2 , 3 , 11 , 23 , 31 , 47063 , 442938131 , 980970939025927673 ) 

526 : ( 2 , 3 , 11 , 23 , 31 , 47065 , 316397839 , 6803428301729243 ) 

527 : ( 2 , 3 , 11 , 23 , 31 , 47095 , 59897203 , 132743972247361529 ) 

528 : ( 2 , 3 , 11 , 23 , 31 , 47107 , 47322265 , 1028152391 ) 

529 : ( 2 , 3 , 11 , 23 , 31 , 47131 , 30382063 , 67384091875543673 ) 

530 : ( 2 , 3 , 11 , 23 , 31 , 47137 , 28282147 , 3892535183 ) 

531 : ( 2 , 3 , 11 , 23 , 31 , 47183 , 17789723 , 11693897561 ) 

532 : ( 2 , 3 , 11 , 23 , 31 , 47243 , 12017087 , 26715920281613177 ) 

533 : ( 2 , 3 , 11 , 23 , 31 , 47423 , 6114059 , 13644326865136505 ) 

534 : ( 2 , 3 , 11 , 23 , 31 , 47735 , 3318041 , 58687879710227 ) 

535 : ( 2 , 3 , 11 , 23 , 31 , 48175 , 2676569 , 8395963 ) 
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536 : ( 2 , 3 , 11 , 23 , 31 , 49759 , 866923 , 2029951372029305 ) 

537 : ( 2 , 3 , 11 , 23 , 31 , 50027 , 792917 , 266665980383003 ) 

538 : ( 2 , 3 , 11 , 23 , 31 , 50299 , 731935 , 331193033 ) 

539 : ( 2 , 3 , 11 , 23 , 31 , 53899 , 371089 , 420055991 ) 

540 : ( 2 , 3 , 11 , 23 , 31 , 55195 , 445661 , 1124947 ) 

541 : ( 2 , 3 , 11 , 23 , 31 , 60563 , 211031 , 601432790177273 ) 

542 : ( 2 , 3 , 11 , 23 , 31 , 69745 , 144667 , 24989779178951 ) 

543 : ( 2 , 3 , 11 , 23 , 31 , 90721 , 97775 , 414514424707 ) 

544 : ( 2 , 3 , 11 , 25 , 29 , 1097 , 2753 , 144508961849 ) 

545 : ( 2 , 3 , 11 , 31 , 35 , 67 , 369067 , 1770735487289 ) 

546 : ( 2 , 3 , 13 , 17 , 37 , 257 , 504565 , 1225587899 ) 

547 : ( 2 , 3 , 13 , 17 , 37 , 257 , 507175 , 90784289 ) 

548 : ( 2 , 3 , 13 , 17 , 37 , 257 , 521749 , 15130715 ) 

549 : ( 2 , 3 , 13 , 17 , 53 , 83 , 253805 , 333362609 ) 

550 : ( 2 , 3 , 13 , 25 , 29 , 67 , 2981 , 11294561849 ) 
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